Re: [gentoo-user] Break In attempts
Am Sonntag, 7. Oktober 2007 11:40:10 schrieb Mick: Hi All, Can you please advise what I could do to block IP addresses that have repeatedly failed to log in? I think you're looking for: net-analyzer/fail2ban (http://www.fail2ban.org) Regards, Elias P. -- A really nice number: 09:F9:11:02:9D:74:E3:5B:D8:41:56:C5:63:56:88:C0 signature.asc Description: This is a digitally signed message part.
RE: [gentoo-user] Break In attempts
If you have iptables available in your kernel, a quick manual step could be to block all traffic incoming from that IP address. A statement like the following could work: iptables -I INPUT -s XXX.XXX.XXX.XXX -j DROP (This drops all traffic coming from IP address XXX... effectively, it simply looses the network packets and doesn't respond to it any more.) Of course this is a one time only, manual thing. There may also be processes/applications that automatically block unwanted IP traffic. Maybe somebody else may suggest such a solution (I'm not that familiar with this). Cheers, Joost -Original Message- From: Mick [mailto:[EMAIL PROTECTED] Sent: zondag 7 oktober 2007 11:40 To: gentoo-user@lists.gentoo.org Subject: [gentoo-user] Break In attempts Hi All, Can you please advise what I could do to block IP addresses that have repeatedly failed to log in? I am looking here at a server which over the last week is being attacked daily with random usernames. So the only constant in these repeated attempts is not the username, but the IP address. Occasionally, the odd service name (e.g. rpc, mysql, postgres, etc.) repeats itself, otherwise they seem to be randomly selected from a dictionary. I have already disabled PAM authentication on sshd so that only users with a public key in their ~/.ssh can login. -- Regards, Mick -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Break In attempts
On Sunday 07 October 2007, Elias Probst wrote: Am Sonntag, 7. Oktober 2007 11:40:10 schrieb Mick: Hi All, Can you please advise what I could do to block IP addresses that have repeatedly failed to log in? I think you're looking for: net-analyzer/fail2ban (http://www.fail2ban.org) Regards, Elias P. This looks just like what I want. Thanks! -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Break In attempts
Hi, Am Sonntag, 07. Okt 2007, 10:40:10 +0100 schrieb Mick: Can you please advise what I could do to block IP addresses that have repeatedly failed to log in? I am looking here at a server which over the last week is being attacked daily with random usernames. So the only constant in these repeated attempts is not the username, but the IP address. Occasionally, the odd service name (e.g. rpc, mysql, postgres, etc.) repeats itself, otherwise they seem to be randomly selected from a dictionary. This is a _real_ nuisance. Besides that I doubt there is any meaningful harvest. I have already disabled PAM authentication on sshd so that only users with a public key in their ~/.ssh can login. Host-based authentication is one possible solution. Fail2ban was already mentioned, too. A bit more difficult is the ban by iptables. This one is working here successfully for quite some time: SSH_WHITELIST=192.168.0.0/16 11.22.33.44 IPT='/sbin/iptables -v' iptsshdefence() { $IPT -N sshwhite for t in $SSH_WHITELIST do $IPT -A sshwhite -s $t -m recent --remove --name SSH -j ACCEPT done # $IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j LOG --log-prefix 'SSH request ' $IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH $IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j sshwhite # $IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix 'SSH brute_force ' $IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j REJECT } Of course you need a kernel with recent module and reject target support compiled in. Thanks a lot again to this list! Bertram -- Bertram Scharpf Stuttgart, Deutschland/Germany http://www.bertram-scharpf.de -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Break In attempts
Mick wrote: Can you please advise what I could do to block IP addresses that have repeatedly failed to log in? You can also have a look at denyhosts... -- Randy Barlow http://electronsweatshop.com -- [EMAIL PROTECTED] mailing list