Re: [gentoo-user] Break In attempts
Am Sonntag, 7. Oktober 2007 11:40:10 schrieb Mick: Hi All, Can you please advise what I could do to block IP addresses that have repeatedly failed to log in? I think you're looking for: net-analyzer/fail2ban (http://www.fail2ban.org) Regards, Elias P. -- A really nice number: 09:F9:11:02:9D:74:E3:5B:D8:41:56:C5:63:56:88:C0 signature.asc Description: This is a digitally signed message part.
RE: [gentoo-user] Break In attempts
If you have iptables available in your kernel, a quick manual step could be to block all traffic incoming from that IP address. A statement like the following could work: iptables -I INPUT -s XXX.XXX.XXX.XXX -j DROP (This drops all traffic coming from IP address XXX... effectively, it simply looses the network packets and doesn't respond to it any more.) Of course this is a one time only, manual thing. There may also be processes/applications that automatically block unwanted IP traffic. Maybe somebody else may suggest such a solution (I'm not that familiar with this). Cheers, Joost -Original Message- From: Mick [mailto:[EMAIL PROTECTED] Sent: zondag 7 oktober 2007 11:40 To: gentoo-user@lists.gentoo.org Subject: [gentoo-user] Break In attempts Hi All, Can you please advise what I could do to block IP addresses that have repeatedly failed to log in? I am looking here at a server which over the last week is being attacked daily with random usernames. So the only constant in these repeated attempts is not the username, but the IP address. Occasionally, the odd service name (e.g. rpc, mysql, postgres, etc.) repeats itself, otherwise they seem to be randomly selected from a dictionary. I have already disabled PAM authentication on sshd so that only users with a public key in their ~/.ssh can login. -- Regards, Mick -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Break In attempts
On Sunday 07 October 2007, Elias Probst wrote: Am Sonntag, 7. Oktober 2007 11:40:10 schrieb Mick: Hi All, Can you please advise what I could do to block IP addresses that have repeatedly failed to log in? I think you're looking for: net-analyzer/fail2ban (http://www.fail2ban.org) Regards, Elias P. This looks just like what I want. Thanks! -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Break In attempts
Hi,
Am Sonntag, 07. Okt 2007, 10:40:10 +0100 schrieb Mick:
Can you please advise what I could do to block IP addresses that have
repeatedly failed to log in? I am looking here at a server which over the
last week is being attacked daily with random usernames. So the only
constant in these repeated attempts is not the username, but the IP address.
Occasionally, the odd service name (e.g. rpc, mysql, postgres, etc.) repeats
itself, otherwise they seem to be randomly selected from a dictionary.
This is a _real_ nuisance. Besides that I doubt there is any
meaningful harvest.
I have already disabled PAM authentication on sshd so that only users with a
public key in their ~/.ssh can login.
Host-based authentication is one possible solution. Fail2ban
was already mentioned, too.
A bit more difficult is the ban by iptables. This one is
working here successfully for quite some time:
SSH_WHITELIST=192.168.0.0/16 11.22.33.44
IPT='/sbin/iptables -v'
iptsshdefence()
{
$IPT -N sshwhite
for t in $SSH_WHITELIST
do
$IPT -A sshwhite -s $t -m recent --remove --name SSH -j ACCEPT
done
# $IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j LOG
--log-prefix 'SSH request '
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
--name SSH
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j sshwhite
# $IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update
--seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix 'SSH
brute_force '
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update
--seconds 60 --hitcount 4 --rttl --name SSH -j REJECT
}
Of course you need a kernel with recent module and reject
target support compiled in.
Thanks a lot again to this list!
Bertram
--
Bertram Scharpf
Stuttgart, Deutschland/Germany
http://www.bertram-scharpf.de
--
[EMAIL PROTECTED] mailing list
Re: [gentoo-user] Break In attempts
Mick wrote: Can you please advise what I could do to block IP addresses that have repeatedly failed to log in? You can also have a look at denyhosts... -- Randy Barlow http://electronsweatshop.com -- [EMAIL PROTECTED] mailing list
