How to ban failed SSH, FTP, POP3 and SMTP logins?

[nenad]

So, as title says I am interested in findig the best possible way to ban all of IP's from where failed logins originate for ssh, ftp, pop3 and smtp services.

I past few days few hackers from China are permanently trying to login in any/all of those services. My complaints to their network's hostmasteers were hopeless.

As I am still under attack 24h daily, I am open to all sugestions.

P.S. DenyHosts installed for SSH. Logcheck too.

[sjau]

For SSH I have this running:

http://www.howtoforge.com/preventing...with_denyhosts

on Debian Sarge and a SuSE 9.2 server

Oh, you have DenyHosts already ^^

[edge]

Not sure if FWSNORT is of use to you..

I'm using PSAD, but thats a Port Scan Attack Detector.

[nenad]

How to use DenyHosts for FTP or mail login ? Is it possible?

[edge]

An other one I just found.. Fail2Ban

[falko]

Also have a look here: http://www.howtoforge.com/forums/showthread.php?t=4611

[nenad]

Thank you.

After I reported attacks to china network hostmaster attacks siezed, for now.
But I will install some of these solutions.

BTW does DenyHosts and BlockHosts interfere one with another?

on the other hand I have toughts about installing FreeSCO or IPCop on separate machine instead of hardware router...?

Which one is better FreeSCO or IPCop ?

[nenad]

Quote:

Originally Posted by edge

An other one I just found.. Fail2Ban

Some people are claiming that there are some problems with it.

BTW all of the solutions are mostly for SSH or FTP but I need solutions for SMTP and POP3 as I noticed that hackers are trying to break in mail server too. Probably they want to use it for spaming. What is the best solution to keep seafe mail server from brute force password crack?

[Ben]

One thing for smtp stuff from china would be greylisting... (postgrey)...
If I got the time I will post sth. how to use with ISPConfig...

Regarding the SSH-Stuff, I just moved my SSH port, since then I did not find any scan for ssh...
For that purpose I disabled the ISPConfig firewall (because it does not let me close port 22) and set it up on the shell via firehol

[nenad]

Quote:

Originally Posted by Ben

One thing for smtp stuff from china would be greylisting... (postgrey)...
If I got the time I will post sth. how to use with ISPConfig...

Regarding the SSH-Stuff, I just moved my SSH port, since then I did not find any scan for ssh...
For that purpose I disabled the ISPConfig firewall (because it does not let me close port 22) and set it up on the shell via firehol

When attack occurs, and that could be in middle of night, I don't have time to ask for "graylist". Password chechk which occurs dozen times pre second can put significant load on server. Only "ban" method is solutions in such occurences.