LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 07-15-2010, 07:59 PM   #1
3rods
Member
 
Registered: Mar 2008
Posts: 70

Rep: Reputation: 16
What is the best way to real-time sync file between machines?


I have a few servers that are exposed to the internet. When someone tried to brute force hack in to the ssh, ossec adds their IP to the hosts.deny. Then the hacker (read: script kiddie) moves to the next IP up the line and hits my next server, etc, etc.

I end up getting 20 emails for all the servers that they hit.

My question, is there anyway to sync the hosts.deny file across multiple servers so that if they are locked out of one, they are locked out of all?
 
Old 07-15-2010, 08:37 PM   #2
indelible
LQ Newbie
 
Registered: Aug 2008
Posts: 25

Rep: Reputation: 2
You could mount a network drive somewhere and have the hosts.deny file there, with symlinks on each server pointing to the network mount, but that does introduce a single point of failure for each server.

Or you could consider a cron/rsync setup, periodically rsync'ing the hosts.deny file across the servers.

Though if you don't have this kind of access, then I can only think of writing a custom script to do the job, but there might be other solutions
 
Old 07-15-2010, 08:51 PM   #3
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,066
Blog Entries: 11

Rep: Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910
Quote:
Originally Posted by 3rods View Post
I have a few servers that are exposed to the internet. When someone tried to brute force hack in to the ssh, ossec adds their IP to the hosts.deny. Then the hacker (read: script kiddie) moves to the next IP up the line and hits my next server, etc, etc.

I end up getting 20 emails for all the servers that they hit.

My question, is there anyway to sync the hosts.deny file across multiple servers so that if they are locked out of one, they are locked out of all?
I don't know ossec, or how it handles the hosts.deny file,
but ...

I'd look into whether or not ossec supports custom hooks
that would allow you ssh connections between your servers
and then use something like
Code:
hook <output hosts.deny line>| ssh ossec@serverX "cat - >> /etc/hosts.deny"
in a loop for all the servers that aren't the one which
gets hit. Reason for that is that if a skiddie goes out
of sequence for some reason, an rsync or other simple
file based replication method will inadvertently overwrite
a local file w/ changes that AREN'T in the sending one
yet.

Also, if you have the option, see whether you can make
ossec use iptables for its blocking rather than tcp wrappers;
a) wrappers requires the files hosts.{deny,allow} to be
read whenever new events occur, while iptables are in
memory (kernel space on top of that), and b) the propagation
w/ non file based methods makes it fool proof in that it
won't overwrite per-existing blocking information.


Cheers,
Tink
 
Old 07-15-2010, 09:06 PM   #4
simon.sweetman
Member
 
Registered: Mar 2009
Posts: 32

Rep: Reputation: 22
If you stick with using hosts.deny it would be worth keeping a timestamp on each entry you add. It will then be easier to automate a trim of the old deny rules and avoid your servers bogging down processing large block lists every time a packet comes in. e.g:

Code:
# 07/17/2010 y.y.y.y automated block for ssh attack
y.y.y.y
# 07/15/2010 x.x.x.x automated block for ssh attack
x.x.x.x

Last edited by simon.sweetman; 07-15-2010 at 09:08 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Is it possible to sync in real time over ftp? replica88 Linux - Server 4 02-03-2010 10:10 AM
real time kernel not real time, still xruns in Jackd browny_amiga Linux - General 0 09-20-2009 03:47 PM
Real Time Clock & Real Time Timer jiramak Linux - Newbie 1 09-05-2007 07:43 PM
LXer: Real-time garbage collection with Real-time Java LXer Syndicated Linux News 0 05-05-2007 01:16 PM
LXer: Real-time Linux gains real-time JVM LXer Syndicated Linux News 0 10-12-2006 11:54 AM


All times are GMT -5. The time now is 02:43 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration