Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 27th March 2007, 08:54
Andee63 Andee63 is offline
HowtoForge Supporter
 
Join Date: Jan 2007
Location: Bradford, UK
Posts: 40
Thanks: 5
Thanked 0 Times in 0 Posts
Default Hack attempts

I am getting 2000+ attempts to gain access to my fedora server on a daily basis.
I am fairly confident that no breach has been made. But is there a way to stop these attempts. Say after 10 failed attempts to automatically block the ip address.

sample log output
Quote:
pam_succeed_if(sshd:auth): error retrieving information about user apple
__________________
Andee
www.elmtreeweb.co.uk
Reply With Quote
Sponsored Links
  #2  
Old 27th March 2007, 09:41
Hagforce Hagforce is offline
Senior Member
 
Join Date: Feb 2006
Posts: 210
Thanks: 37
Thanked 1 Time in 1 Post
Default

I had the same problem, then I changed the SSH port and it all stopped.
Reply With Quote
  #3  
Old 27th March 2007, 10:06
edge edge is offline
Moderator
 
Join Date: Dec 2005
Location: The Netherlands
Posts: 2,044
Thanks: 269
Thanked 154 Times in 133 Posts
Default

Like Hagforce suggest, change the port, or use a firewall rule to only accept your IP on that port

An other option (and nice way) is using Port Knocking. More info @ http://www.portknocking.org/
__________________
Never execute code written on a Friday or a Monday.
Reply With Quote
  #4  
Old 27th March 2007, 10:43
Leszek Leszek is offline
Senior Member
 
Join Date: Nov 2006
Location: Poland,Włocławek
Posts: 369
Thanks: 22
Thanked 42 Times in 35 Posts
Send a message via Skype™ to Leszek
Default

Hi!

You should try DenyHosts. There's a howto on Howtoforge about it http://www.howtoforge.com/preventing...with_denyhosts
Reply With Quote
  #5  
Old 27th March 2007, 11:24
Andee63 Andee63 is offline
HowtoForge Supporter
 
Join Date: Jan 2007
Location: Bradford, UK
Posts: 40
Thanks: 5
Thanked 0 Times in 0 Posts
Default

Thanks for the advice. I will look into your suggestions when I am back at the server.
__________________
Andee
www.elmtreeweb.co.uk
Reply With Quote
  #6  
Old 28th March 2007, 00:32
jonwatson jonwatson is offline
Senior Member
 
Join Date: Feb 2007
Posts: 176
Thanks: 15
Thanked 3 Times in 3 Posts
Default

I use Fail2Ban on my boxes. It's a simple apt-get (assuming you're using Debian) away and I only change three things in /etc/fail2ban.conf:

1. I turn email notifications on
2. I enter my email address
3. I put my own IP into the ignore section

It monitors SSH by default but you can turn on other ports as well.
Reply With Quote
  #7  
Old 28th March 2007, 02:26
punto punto is offline
Member
 
Join Date: Jul 2006
Posts: 84
Thanks: 12
Thanked 2 Times in 1 Post
Default

You can lock down SSH access to only certain IP addresses, look here for the how-to:

http://www.howtoforge.com/forums/showthread.php?t=6209

Regards

Matt
Reply With Quote
  #8  
Old 29th March 2007, 12:24
Hagforce Hagforce is offline
Senior Member
 
Join Date: Feb 2006
Posts: 210
Thanks: 37
Thanked 1 Time in 1 Post
Default

Fail2Ban sounds nice....

This would be effective on smtp, pop, imap and ftp to?

Or is it a bad idea to use on public servers?

I would like to configure that user IPs that enter invalid user or password 20 times get blocked for 60 minutes, is this possible?

Is it easy to monitore witch IPs that is blocked?

This would be nice
Reply With Quote
  #9  
Old 29th March 2007, 12:46
punto punto is offline
Member
 
Join Date: Jul 2006
Posts: 84
Thanks: 12
Thanked 2 Times in 1 Post
Default

Quote:
Originally Posted by Hagforce
Fail2Ban sounds nice....

This would be effective on smtp, pop, imap and ftp to?

Or is it a bad idea to use on public servers?

I would like to configure that user IPs that enter invalid user or password 20 times get blocked for 60 minutes, is this possible?

Is it easy to monitore witch IPs that is blocked?

This would be nice
Yes you can block any protocol you like as long as you know which port it listens on.

Well if you block smtp and pop on a public server you will limit who can send and receive email, ftp could work I suppose as long as you know the source IP and the user wont be using different internet connections.

Regards
Matt
Reply With Quote
  #10  
Old 29th March 2007, 16:46
Hagforce Hagforce is offline
Senior Member
 
Join Date: Feb 2006
Posts: 210
Thanks: 37
Thanked 1 Time in 1 Post
 
Default

Quote:
Originally Posted by punto
Well if you block smtp and pop on a public server you will limit who can send and receive email, ftp could work I suppose as long as you know the source IP and the user wont be using different internet connections.
What do you mean you will limit who can send and receive email....

I thought this was a program for blocking brute force....

Do you mean that it counts sucsessfull login attempts also, so if one user checks his mail 20 times in short time, the IP will be blocked....

Any tips on this cind of setup?
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Hack: change Database prefix to domain name nilsk Tips/Tricks/Mods 7 8th March 2009 15:21
ispconfig server hack hans2512 General 3 15th March 2007 12:50
applying security on server to restrict unauthorized attempts pali_253 Server Operation 3 16th February 2006 13:57


All times are GMT +2. The time now is 07:40.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.