Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
---------------------- httpd End -------------------------
These are failed ssh attempts. How do they differ from the list of dictionary attacks I see ?
--------------------- pam_unix Begin ------------------------
---------------------- pam_unix End -------------------------
--------------------- SSHD Begin ------------------------
Is this the same as the above stuff? just broken out by IP?
Failed logins from:
58.68.32.172 (abs-static-172.32.68.58.aircel.co.in): 21 times
62.112.195.219: 163 times
124.254.14.153 (undefined.bjgwbn.net.cn): 13 times
209.178.196.3: 32 times
Illegal users from:
62.112.195.219: 15 times
94.75.250.7 (hosted-by.leaseweb.com): 49 times
124.254.14.153 (undefined.bjgwbn.net.cn): 7 times
Received disconnect:
11: Bye Bye : 268 Time(s)
I will be configuring the fail2ban code today but wanted to understand what is going on here.
for the 404's if you know you don't have those files, then they can't be exploited, not really worth bothering about, but I think fail2ban can potentially block them too.
the failed attempts do look like the same as the SSHD ones (both 163 for root etc.) so would be handled at the smae time.
#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes <--- is this needed
#MaxAuthTries 6 <--- is this needed and is this for all users or just root user?
...
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no <-- do i need this on?
PasswordAuthentication yes
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no <--- do i need this to be yes?
I found this but have yet to find a way to bypass the requirement
fail2ban is _capable_ of supporting shorewall (among other things) and even states that "the following software is optional but recommended" with reference to shorewall. However, fail2ban does not _require_ shorewall to function.
From what I've read of ShoreWall's documentation, it's not a daemon...it's an editor:
Quote:
The Shoreline Firewall, more commonly known as “Shorewall”, is high-level tool for configuring Netfilter.
So it is optional...you can use it to simplify your configuration of iptables and Netfilter, but you can also use any other serviceable tool you choose...or none. Go ahead and try to install Fail2Ban without it.
218.159.93.213 - this address is coming from Korea.
114.255.40.16 - this address is coming from China.
61.129.60.23 - this address is also coming from China.
218.159.93.213 - this address is coming from Korea.
114.255.40.16 - this address is coming from China.
61.129.60.23 - this address is also coming from China.
62.112.195.219 - this address is coming from Hungary
94.75.250.7 - this address is coming from The Netherlands
58.68.32.172 - this address is coming from India
209.178.196.3 - this one's coming from Hackensack, New Jersey
124.254.14.153 - this one's from China again
I don't know if you caught the attention of a hacker's club, or organized crime, or one guy spoofing his IP address, but you'd better batten down the hatches and prepare to ride out the storm. Here's a book I've been reading lately...it's a bit out of date (2003), but full of some very good advice:
#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes <--- is this needed
#MaxAuthTries 6 <--- is this needed and is this for all users or just root user?
...
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no <-- do i need this on?
PasswordAuthentication yes
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no <--- do i need this to be yes?
Thanx for the info ...
I am still looking for an answer to the above.
I did put in fail2ban and it seems to be blocking some stuff. I am still tweaking it.
StrictModes should be left at the default, Yes - See manpage for details
MaxAuthTries can be changed from 6 if you want, not root specific (why would it be?) - See manpage for details
PermitEmpty passwords should be no unless you want to permit empty passwords - See manpage for details
ChallengeResponseAuthentication can be no if you don't want to do any challenge / response based authentication mechanisms - See manpage for details
"So it is optional...you can use it to simplify your configuration of iptables and Netfilter, but you can also use any other serviceable tool you choose...or none. Go ahead and try to install Fail2Ban without it."
How do i do this?
I get this error when I try to install.
rpm -Uhv --ignoreos fail2ban-0.8.4-23.el5.noarch.rpm
warning: fail2ban-0.8.4-23.el5.noarch.rpm: Header V4 DSA signature: NOKEY, key ID 66534c2b
error: Failed dependencies:
shorewall is needed by fail2ban-0.8.4-23.el5.noarch
I did a little more digging...apparently Shorewall is "required" only because Fedora has been unresponsive in dropping that requirement. Check out these discussions:
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.