I have DenyHosts blocking on failures from FTP and SSH. I use syslog to combine the logging of OpenSSH and VSFTP into one log file. I have I plan on writing regex for dovecot logs (POPS and IMAPS server) when I get some time. If someone has already done so, please share! The regex I use for my combined log file is:
# Match is in two parts. # Add vsftp: to match log entry. # Add vsftp regex to match log message. - Ron Nash # Jul 6 16:52:35 rohan sshd[18061]: [ID 800047 local1.info] Failed password for invalid user admin from 60.31.195.66 port 32581 ssh2 # Jul 6 16:52:44 rohan vsftpd: [ID 702911 news.warning] Mon Jul 6 16:52:44 2009 [pid 11699] [account] FAIL LOGIN: Client "41.211.226.55" SSHD_FORMAT_REGEX=.* (sshd.*:|\[sshd\]|vsftpd:) (?P<message>.*) USERDEF_FAILED_ENTRY_REGEX=\[(?P<user>\S+)\].*FAIL LOGIN.*"(?P<host>\S+)" I have whitelisted most of the class B subnets our users connect from in /etc/hosts.allow Whitelisting prevents the service calls when a user plugs in a bad username/password into a package that retires often. The format is "ALL: 123.456.0.0/255.255.0.0" to white list any IP in the 123.456 subnet. For the other users, I block for an hour on bad attempts. For root and restricted usernames I block for 5 days. I've harvested 26 "toxic" usernames that I restrict after 2 attempts to use. -Ron > Doh, sorry, I answered for "part 2". For part 1, you can specify custom > regex that you could tailor to match other things, but it's far from > ideal, even apart from it getting quite complicated. Eg. I want to > block hosts from failed ssh login attempts quite quickly, but if I had > the same threshhold on a pop3 server, any of my customers that mistypes > their username or password is almost guaranteed to be blocked and > require manual cleanup by the time they call in. > > I only briefly looked at fail2ban a few years ago and I believe it was > better suited to multiple services, but I've not tried using it. > > You might get by with multiple denyhost instances running, each > pointing to a seperate config file. Far from ideal. Maybe you want to > contribute this feature to denyhosts, so I can use it, too? :) > > Jesse > > > On Thu, 2009-07-09 at 11:35 -0500, Neil Aggarwal wrote: >> Hello: >> >> > To me, it seems the advantage of Fail2ban is that >> > it will block more than just SSH attempts. Does >> > DenyHosts have that ability? >> >> I probably need to clarify this question. >> >> There are two parts to blocking an offender: >> 1. Identification of a hacking attempt >> 2. Blocking the host the offender used >> >> For part 2, it looks like DenyHosts can block >> individual services or all access to my machine >> so that is not a problem. >> >> I am concerned about part 1. It looks like DenyHosts >> only identifies an offender when they attempt an >> SSH login and fail. Other types of attacks (Eg: pop3s) >> will not trigger DenyHosts to block the offender. >> >> Is there a way to tell DenyHosts to account for all >> types of access to a machine? >> >> The reason I ask is it seems Fail2ban can take more than >> SSH failures into account. I like the idea of the >> synchronization service DenyHosts offers, but it seems >> Fail2ban will offer more complete protection. >> >> Thanks, >> Neil >> >> -- >> Neil Aggarwal, (281)846-8957, www.JAMMConsulting.com >> Will your e-commerce site go offline if you have >> a DB server failure, fiber cut, flood, fire, or other disaster? >> If so, ask me about our geographically redudant database system. >> >> >> ------------------------------------------------------------------------------ >> Enter the BlackBerry Developer Challenge >> This is your chance to win up to $100,000 in prizes! For a limited time, >> vendors submitting new applications to BlackBerry App World(TM) will >> have >> the opportunity to enter the BlackBerry Developer Challenge. See full >> prize >> details at: http://p.sf.net/sfu/Challenge >> _______________________________________________ >> Denyhosts-user mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/denyhosts-user > -- > Jesse Norell > Kentec Communications, Inc. > [email protected] > > ------------------------------------------------------------------------------ > Enter the BlackBerry Developer Challenge > This is your chance to win up to $100,000 in prizes! For a limited time, > vendors submitting new applications to BlackBerry App World(TM) will have > the opportunity to enter the BlackBerry Developer Challenge. See full > prize > details at: http://p.sf.net/sfu/Challenge > _______________________________________________ > Denyhosts-user mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/denyhosts-user > > ------------------------------------------------------------------------------ Enter the BlackBerry Developer Challenge This is your chance to win up to $100,000 in prizes! For a limited time, vendors submitting new applications to BlackBerry App World(TM) will have the opportunity to enter the BlackBerry Developer Challenge. See full prize details at: http://p.sf.net/sfu/Challenge _______________________________________________ Denyhosts-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/denyhosts-user
