block host with brute-force attach

Bill Campbell linux-sxs at celestial.com
Mon Mar 30 18:16:09 PDT 2009 

On Mon, Mar 30, 2009, Ken Moffat wrote:
>On Mon, Mar 30, 2009 at 4:37 PM, Bill Campbell <linux-sxs at celestial.com>wrote:
>
>> On Mon, Mar 30, 2009, Ken Moffat wrote:
>> >On Mon, Mar 30, 2009 at 2:49 PM, Bill Campbell <linux-sxs at celestial.com
>> >wrote:
>> >
>> >> On Mon, Mar 30, 2009, vu pham wrote:
>> >> > I remember someone mentioned/asked/answered this already but I just
>> >> > could not remember it.
>> >> >
>> >> > My system gets a lot of password-guess attackes. What is the tool that
>> >> > disables those remote attack hosts ?
>> >> >
>> >>
>> >> fail2ban comes to mind.
>> >>
>> >denyhosts blocks ip addresses after 3 (configurable) failed ssh logins.
>> >
>> >It can block either just ssh or all services for the denied ip address,
>> >adding the offending ip address to /etc/hosts.deny.
>>
>> While this prevents access, it does not necessarily avoid filling
>> your log files with garbage as sshd probably logs failed attempts.
>>
>> Bill
>>
>
>Correct. I run a small home server using 1 static ip address and have had
>good results.
>
>Are there advantages to fail2ban?

It can bring up iptables blocks automatically based on user-defined
threshholds, and automatically removes the blocks based on some timeout
criteria.  This can drastically reduce the number of log entries (over
35,000/month here and at our client sites).

I am currently working on a variation based on a combination of
tcp_wrappers twist rules on rejects and swatch triggers that will maintain
a postgresql database on each machine, automatically triggering blocks at
user specified threshholds, and possibly consolidating information from all
the machines we support and monitor.  I want local databases for speed, but
a central store to allow the possibility to automatically block on all
systems when we detect heavy hitting.

I have been amazed at how quickly some attacks run around the net.  I have
seen probes starting at a customer site in North Carolina, followed rapidly
be attacks from the same IP on sites in Ohio, Tennessee, Indiana, Missouri,
Texas, Alaska, and Washington within an 8 hour period.

Bill
-- 
INTERNET:   bill at celestial.com  Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/  PO Box 820; 6641 E. Mercer Way
Voice:          (206) 236-1676  Mercer Island, WA 98040-0820
Fax:            (206) 232-9186

The end move in politics is always to pick up a gun.  -- Buckminster Fuller

More information about the Linux-users mailing list