SlackwareThis Forum is for the discussion of Slackware Linux.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Such an automated tool obviously comes in addition to using keys, restricting which users are allowed to use sshd, etc etc - what I'd like to sample some opinions on is the favorite tool used by other Slackware-users to proactively shut these offenders out (and report), rather than just fill up logs and hope they'll go away..
I know about the change of port, but in this case I'd like to be able to permanently block through ip-tables as well. Based on the various programmes I've searched so far, it seems like a combination of denyhosts and authfail would be ideal (ie block the offending host with iptables, send an email to the abuse address from whois, and also submit to a global database for proactive blocking..
While changing the port keeps the script-kiddies out, I've never been a big fan of security through obscurity, and being the "detail devil" that I am, I would like to see how secure it's possible to get this
I guess I was a bit fuzzy in my original post - my apologies.
In order to access the network from the internet, allowing only one static IP address won't cut it. Furthermore, I believe iptables is far more secure than relying on hosts.allow/deny. I've moved my sshd to a different, high port, but still see quite a bit of attacks, so what I am looking for is a system that functions under Slackware that will allow incoming connections from the internet, but block the IP addresses of hackers using IP tables, and preferably sending an automagic email to the offending IP-range's abuse-contact from whois.
authfail does all this, except it's very Debian-centric and thus won't install on Slackware with my very limited perl-knowledge.
So I guess my real question is - has anyone got authfail to function on Slackware successfully?
You should take a look at psad and/or Snort. Both are intrusion detection systems that can block IP addresses based on the way traffic from those IP addresses is evaluated. Psad is more light-weight than Snort and could be more what you want - note that IP blocking is disabled by default in psad.
You might want to take a look at DenyHosts. It's a python script which can run in daemon mode. It will monitor the log files for failed ssh login attempts and it will add the originating IP's for the failed attempts to your hosts.deny file. You specify which log files to monitor and you set the threshold limit's for failed attempts, etc. Once the IP is logged in hosts.deny file, the inetd will not allow any connections from that IP.
The only requirements are:
- a working sshd server which has been configured to use inetd
- a working python install
It also has an optional feature which when enabled will update your system from a user populated database of known abusive IP's.