Firewall Suggestions
Hi,
I have a situation. I have these ip addresses that are attacking by box. They are trying to log into ssh with a user and pass and it fails. What I want to do is block them after a certain IP fails to log in after 3 tries. However I do not want to lock the user because they are attacking my user etc. Is this possible? Thanks, Steve |
I have read (but of course don't remember :) ) several articles talking about how to do this, so I know solutions are out there. This article talks about one such solution about half way down the page. For other solutions, try entering the word iptables and the phrase ssh attack in a search engine. Or perhaps come up with better search terms. :)
EDIT: As fate would have it, I just ran across one of solutions that I couldn't remember the name of ... From Fail2ban's website: Quote:
|
Ok thanks for your input, I will check it out.
Steve |
Try Denyhosts
I'd suggest you try Denyhosts which is an application specifically designed to block SSH attacks.
The app can be run with a Cron or a Daemon, and basically allows you to configure the app to block failed attempts to your SSH service. It sends offending IPs to the hosts.deny file and allows you to configure things differently for "root" or other users (i.e: If someone tries to login with root block them right away, but if you try to access with another account block the IP after 10 attempts and so on). The config file is pretty straightforward. http://denyhosts.sourceforge.net/ If you Google "denyhosts tutorial" you'll find some useful articles about installing and configuring. George |
I tried denyhosts and it seems to works really well and it was very very easy to configure. I would recommend it to anyone. I'll check out the stats tonight to see how many attempts were made and then blocked. People were attacking by the thousands. I guess my next question is people are attacking my mailserver to see if it is an open relay server(which it is not), is there a way to block them. What are your opinions on IPCop?
Thanks |
sba do you work for a company and getting attacked?
|
no i have a personal server why does that matter? I am still getting attacked. Within hours it was being attacked!!!
|
Quote:
I don't know that IPCop would specifically help with your mail server being swarmed. Fail2ban might be better for this task unless you have only a small number of IP addresses that you want to allow to access your mail server. (I suppose you could run something like fail2ban on your IPCop box, but the developers of IPCop warn you to be very careful about adding additional software to make sure you don't inadvertently create a security hole.) |
In /etc/ssh/sshd_config:
Code:
# Authentication: Code:
ALL: ALL Code:
ALL: aaa.bbb.ccc.ddd http://linux.about.com/od/commands/l...l5_hostsde.htm http://www.linux.com/article.pl?sid=07/03/26/1423232 |
All times are GMT -5. The time now is 09:35 AM. |