Hack attempts

Discussion in 'General' started by Andee63, Mar 27, 2007.

  1. Andee63

    Andee63 New Member

    I am getting 2000+ attempts to gain access to my fedora server on a daily basis.
    I am fairly confident that no breach has been made. But is there a way to stop these attempts. Say after 10 failed attempts to automatically block the ip address.

    sample log output
  2. Hagforce

    Hagforce New Member

    I had the same problem, then I changed the SSH port and it all stopped.
  3. edge

    edge Active Member Moderator

    Like Hagforce suggest, change the port, or use a firewall rule to only accept your IP on that port

    An other option (and nice way) is using Port Knocking. More info @ http://www.portknocking.org/
  4. Leszek

    Leszek Member

  5. Andee63

    Andee63 New Member

    Thanks for the advice. I will look into your suggestions when I am back at the server.
  6. jonwatson

    jonwatson New Member

    I use Fail2Ban on my boxes. It's a simple apt-get (assuming you're using Debian) away and I only change three things in /etc/fail2ban.conf:

    1. I turn email notifications on
    2. I enter my email address
    3. I put my own IP into the ignore section

    It monitors SSH by default but you can turn on other ports as well.
  7. punto

    punto New Member

  8. Hagforce

    Hagforce New Member

    Fail2Ban sounds nice....

    This would be effective on smtp, pop, imap and ftp to?

    Or is it a bad idea to use on public servers?

    I would like to configure that user IPs that enter invalid user or password 20 times get blocked for 60 minutes, is this possible?

    Is it easy to monitore witch IPs that is blocked?

    This would be nice :D
  9. punto

    punto New Member

    Yes you can block any protocol you like as long as you know which port it listens on.

    Well if you block smtp and pop on a public server you will limit who can send and receive email, ftp could work I suppose as long as you know the source IP and the user wont be using different internet connections.

  10. Hagforce

    Hagforce New Member

    What do you mean you will limit who can send and receive email....

    I thought this was a program for blocking brute force....

    Do you mean that it counts sucsessfull login attempts also, so if one user checks his mail 20 times in short time, the IP will be blocked....

    Any tips on this cind of setup?
  11. jonwatson

    jonwatson New Member

    I think it's a fabulous idea to use on public servers. If you set the failed passwords at something like 10 or so, then you'll really make brute force attacks difficult. And any user that enters their password wrong 10 times in x number of minutes is really too stupid to use your server anyway :eek:

    There are 'unban' settings, yes. You can ban for specific periods of time.

    It can even use deny/allow hosts files if you don't have access to IPTables (as some VPSes don't depending on their setup).

    Check out the docs. They're really short and easy to understand.

  12. mlz

    mlz New Member

    While I love OSSEC, it isn't trivial to setup or configure properly. And for protection of your own server, seems like Fail2Ban would be the ticket.
  13. Hagforce

    Hagforce New Member

    It does not seem like fail2ban supports services like dovecot, postfix, pop3 I run on my server.

    Anybody tried this?

Share This Page