LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 06-05-2007, 08:21 PM   #1
sbabcock23
Member
 
Registered: Aug 2006
Location: Mississauga, Ontario, Canada
Distribution: RHEL 5, CentOS 5
Posts: 64

Rep: Reputation: 15
Firewall Suggestions


Hi,

I have a situation. I have these ip addresses that are attacking by box. They are trying to log into ssh with a user and pass and it fails. What I want to do is block them after a certain IP fails to log in after 3 tries. However I do not want to lock the user because they are attacking my user etc. Is this possible?

Thanks,
Steve
 
Old 06-05-2007, 11:21 PM   #2
blackhole54
Senior Member
 
Registered: Mar 2006
Posts: 1,896

Rep: Reputation: 61
I have read (but of course don't remember ) several articles talking about how to do this, so I know solutions are out there. This article talks about one such solution about half way down the page. For other solutions, try entering the word iptables and the phrase ssh attack in a search engine. Or perhaps come up with better search terms.

EDIT: As fate would have it, I just ran across one of solutions that I couldn't remember the name of ... From Fail2ban's website:

Quote:
Fail2ban scans log files like /var/log/pwdfail or /var/log/apache/error_log and bans IP that makes too many password failures. It updates firewall rules to reject the IP address.
The article I was reading says it works for ssh and does exactly what you are asking. Bans can be temporary or permanent. You can protect selected IP addresses from being banned via a whitelist. Cheers.

Last edited by blackhole54; 06-06-2007 at 12:48 AM.
 
Old 06-06-2007, 06:47 AM   #3
sbabcock23
Member
 
Registered: Aug 2006
Location: Mississauga, Ontario, Canada
Distribution: RHEL 5, CentOS 5
Posts: 64

Original Poster
Rep: Reputation: 15
Ok thanks for your input, I will check it out.
Steve
 
Old 06-07-2007, 05:36 PM   #4
ElGeorge
LQ Newbie
 
Registered: May 2007
Posts: 8

Rep: Reputation: 0
Post Try Denyhosts

I'd suggest you try Denyhosts which is an application specifically designed to block SSH attacks.

The app can be run with a Cron or a Daemon, and basically allows you to configure the app to block failed attempts to your SSH service. It sends offending IPs to the hosts.deny file and allows you to configure things differently for "root" or other users (i.e: If someone tries to login with root block them right away, but if you try to access with another account block the IP after 10 attempts and so on). The config file is pretty straightforward.

http://denyhosts.sourceforge.net/

If you Google "denyhosts tutorial" you'll find some useful articles about installing and configuring.

George
 
Old 06-08-2007, 11:40 AM   #5
sbabcock23
Member
 
Registered: Aug 2006
Location: Mississauga, Ontario, Canada
Distribution: RHEL 5, CentOS 5
Posts: 64

Original Poster
Rep: Reputation: 15
I tried denyhosts and it seems to works really well and it was very very easy to configure. I would recommend it to anyone. I'll check out the stats tonight to see how many attempts were made and then blocked. People were attacking by the thousands. I guess my next question is people are attacking my mailserver to see if it is an open relay server(which it is not), is there a way to block them. What are your opinions on IPCop?

Thanks
 
Old 06-08-2007, 12:28 PM   #6
cosmo289
LQ Newbie
 
Registered: Jun 2006
Posts: 12

Rep: Reputation: 0
sba do you work for a company and getting attacked?
 
Old 06-08-2007, 10:53 PM   #7
sbabcock23
Member
 
Registered: Aug 2006
Location: Mississauga, Ontario, Canada
Distribution: RHEL 5, CentOS 5
Posts: 64

Original Poster
Rep: Reputation: 15
no i have a personal server why does that matter? I am still getting attacked. Within hours it was being attacked!!!
 
Old 06-10-2007, 12:04 AM   #8
blackhole54
Senior Member
 
Registered: Mar 2006
Posts: 1,896

Rep: Reputation: 61
Quote:
Originally Posted by sbabcock23
What are your opinions on IPCop?
I played with it several hours a year or two ago and was favorably impressed, but I had no immediate need for it. I have also read favorable comments from other people. YMMV. If you have a spare computer laying around I would suggest you play around with it on that before deciding if you want to put it into production. Its requirements are quite minimal (particularly for simple testing), but it is designed to be the only thing on the box.

I don't know that IPCop would specifically help with your mail server being swarmed. Fail2ban might be better for this task unless you have only a small number of IP addresses that you want to allow to access your mail server. (I suppose you could run something like fail2ban on your IPCop box, but the developers of IPCop warn you to be very careful about adding additional software to make sure you don't inadvertently create a security hole.)

Last edited by blackhole54; 06-10-2007 at 12:06 AM.
 
Old 06-10-2007, 02:59 AM   #9
Road_map
Member
 
Registered: Jan 2007
Distribution: Slackware
Posts: 341

Rep: Reputation: 31
In /etc/ssh/sshd_config:
Code:
# Authentication:
#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
MaxAuthTries 1

# List of user names allowed to log in
AllowUsers user1 user2 user3 user4
In /etc/hosts.deny:
Code:
ALL: ALL
In /etc/hosts.allow:
Code:
ALL: aaa.bbb.ccc.ddd
Read also
http://linux.about.com/od/commands/l...l5_hostsde.htm
http://www.linux.com/article.pl?sid=07/03/26/1423232
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Suggestions for a CD based router/firewall distro ConcreteClam Linux - Networking 3 05-25-2004 03:59 PM
NIS/NFS Thru or Around Firewall - Suggestions? Jefficus Linux - Networking 2 03-25-2004 05:46 PM
Router/firewall suggestions phoenix76 Linux - Security 3 11-30-2003 10:26 PM
router of firewall suggestions Stephanie Linux - General 3 07-28-2001 09:24 AM


All times are GMT -5. The time now is 08:06 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration