So, as title says I am interested in findig the best possible way to ban all of IP's from where failed logins originate for ssh, ftp, pop3 and smtp services.

I past few days few hackers from China are permanently trying to login in any/all of those services. My complaints to their network's hostmasteers were hopeless.

As I am still under attack 24h daily, I am open to all sugestions.

P.S. DenyHosts installed for SSH. Logcheck too.

For SSH I have this running:

http://www.howtoforge.com/preventing_ssh_dictionary_attacks_with_denyhosts

on Debian Sarge and a SuSE 9.2 server

Oh, you have DenyHosts already ^^

Not sure if FWSNORT (http://www.cipherdyne.com/fwsnort/) is of use to you..

I'm using PSAD (http://www.cipherdyne.com/psad/), but thats a Port Scan Attack Detector.

How to use DenyHosts for FTP or mail login ? Is it possible?

An other one I just found.. Fail2Ban (http://fail2ban.sourceforge.net/wiki/index.php/Main_Page)

Also have a look here: http://www.howtoforge.com/forums/showthread.php?t=4611

Thank you.

After I reported attacks to china network hostmaster attacks siezed, for now.
But I will install some of these solutions.

BTW does DenyHosts and BlockHosts interfere one with another?

on the other hand I have toughts about installing FreeSCO or IPCop on separate machine instead of hardware router...?

Which one is better FreeSCO or IPCop ?

An other one I just found.. Fail2Ban (http://fail2ban.sourceforge.net/wiki/index.php/Main_Page)

Some people are claiming that there are some problems with it.

BTW all of the solutions are mostly for SSH or FTP but I need solutions for SMTP and POP3 as I noticed that hackers are trying to break in mail server too. Probably they want to use it for spaming. What is the best solution to keep seafe mail server from brute force password crack?

One thing for smtp stuff from china would be greylisting... (postgrey)...
If I got the time I will post sth. how to use with ISPConfig...

Regarding the SSH-Stuff, I just moved my SSH port, since then I did not find any scan for ssh...
For that purpose I disabled the ISPConfig firewall (because it does not let me close port 22) and set it up on the shell via firehol

One thing for smtp stuff from china would be greylisting... (postgrey)...
If I got the time I will post sth. how to use with ISPConfig...

Regarding the SSH-Stuff, I just moved my SSH port, since then I did not find any scan for ssh...
For that purpose I disabled the ISPConfig firewall (because it does not let me close port 22) and set it up on the shell via firehol

When attack occurs, and that could be in middle of night, I don't have time to ask for "graylist". Password chechk which occurs dozen times pre second can put significant load on server. Only "ban" method is solutions in such occurences.

ah ok...

10 characters

ah ok...

10 characters

I don't understand those "10 characters" ?

if you mean "10 characters long password" I can't control how many characters will be long any of password for any of users of my servers.

besides that, that does not prevent load on smtp/pop3 servers. and in case of break in of password, smtp server might be used for sending spam for a days even weeks befor esomeone notice that. usually you notice that when your servers ip is on the RBL ... unfortunatelly, or through high load or traffic for smtp server.

last week ther was incided that I hacker tryed to break in pop3 , obviously he was very interested in reading someones emails.... and unfortunattely it was my personal email...

So, as title says I am interested in findig the best possible way to ban all of IP's from where failed logins originate for ssh, ftp, pop3 and smtp services.

I past few days few hackers from China are permanently trying to login in any/all of those services. My complaints to their network's hostmasteers were hopeless.

As I am still under attack 24h daily, I am open to all sugestions.

P.S. DenyHosts installed for SSH. Logcheck too.


I installed ISPConfig for the first time yesterday and was amazed at it's capabilities. A very big "thank you" to all the developers.

DenyHosts has worked very well for me in the past on some other servers I have built and I will be installing it on my ISPConfig server. Until then, I made a few changes to the default sshd_config settings from my new install to increase the security of ssh. I set PermitRootLogin to "no" and added AllowUsers to just my personal login. Just these two changes alone will tighten up your ssh quite a bit. If you want to go further, changing the port sshd listens to is a great idea, as is using crypto keys instead of password authentication.

I user fail2ban and did not encaunter major problems by now. I use it for SSH, FTP and some stuff I wrote by myself (in conjunction with mod_security). It seems to be a pretty popular tool and it's easily configurable.

Hi
I use OSSEC-HIDS, it works prefectly in one of my production server

Thanks to the tutorial for installing OSSEC-HIDS: http://www.howtoforge.com/intrusion_detection_with_ossec_hids

i use blockhost but the problem with this daemons (blockhosts, denyhosts...), is that monitored services must be not running as stand alone servers. so if u have a hosting server, normally u must run ftp servirce as stand alone server to increase the performance, but then u can't ban failed loggin attemps....

any idea then?

i'd like to know too, how to ban bots trying to find scripts on the server? but i still dont know how...

any help would be appreciated guys

thk u all

One thing for smtp stuff from china would be greylisting... (postgrey)...
If I got the time I will post sth. how to use with ISPConfig...

Regarding the SSH-Stuff, I just moved my SSH port, since then I did not find any scan for ssh...
For that purpose I disabled the ISPConfig firewall (because it does not let me close port 22) and set it up on the shell via firehol

I also moved ssh port and did not worry about 22 being closed as there is nothing listening on it. What is the difference? Curious, but since there is no daemon listening on the port it seems like it makes no difference if it is open. Please advise.

i use blockhost but the problem with this daemons (blockhosts, denyhosts...), is that monitored services must be not running as stand alone servers. so if u have a hosting server, normally u must run ftp servirce as stand alone server to increase the performance, but then u can't ban failed loggin attemps....

Why don't you try fail2ban?

I also moved ssh port and did not worry about 22 being closed as there is nothing listening on it. What is the difference? Curious, but since there is no daemon listening on the port it seems like it makes no difference if it is open. Please advise.
If there's nothing running on that port, you don't need to close it in your firewall.

Why don't you try fail2ban?
thks falko i've checked fail2ban and it seems that is just perfect for me.

thks again :)

I am using OSSEC and Chirpy's ConfigServer Security & Firewall (csf) script fro generic linux.

Even though it's meant to be used for WHM cPanel the generic linux install works fantastic. There is also an included WEBMIN gui interface.

Here's the link. http://www.configserver.com/cp/csf.html

btw, you can ban with denyhosts also all services for an ip :)