How to ban failed SSH, FTP, POP3 and SMTP logins?

Discussion in 'Tips/Tricks/Mods' started by nenad, Jul 13, 2006.

  1. nenad

    nenad Member

    So, as title says I am interested in findig the best possible way to ban all of IP's from where failed logins originate for ssh, ftp, pop3 and smtp services.

    I past few days few hackers from China are permanently trying to login in any/all of those services. My complaints to their network's hostmasteers were hopeless.

    As I am still under attack 24h daily, I am open to all sugestions.

    P.S. DenyHosts installed for SSH. Logcheck too.
     
  2. sjau

    sjau Local Meanie Moderator

  3. edge

    edge Active Member Moderator

    Not sure if FWSNORT is of use to you..

    I'm using PSAD, but thats a Port Scan Attack Detector.
     
  4. nenad

    nenad Member

    How to use DenyHosts for FTP or mail login ? Is it possible?
     
  5. edge

    edge Active Member Moderator

    An other one I just found.. Fail2Ban
     
  6. falko

    falko Super Moderator Howtoforge Staff

  7. nenad

    nenad Member

    Thank you.

    After I reported attacks to china network hostmaster attacks siezed, for now.
    But I will install some of these solutions.

    BTW does DenyHosts and BlockHosts interfere one with another?

    on the other hand I have toughts about installing FreeSCO or IPCop on separate machine instead of hardware router...?

    Which one is better FreeSCO or IPCop ?
     
  8. nenad

    nenad Member

    Some people are claiming that there are some problems with it.

    BTW all of the solutions are mostly for SSH or FTP but I need solutions for SMTP and POP3 as I noticed that hackers are trying to break in mail server too. Probably they want to use it for spaming. What is the best solution to keep seafe mail server from brute force password crack?
     
  9. Ben

    Ben Active Member Moderator

    One thing for smtp stuff from china would be greylisting... (postgrey)...
    If I got the time I will post sth. how to use with ISPConfig...

    Regarding the SSH-Stuff, I just moved my SSH port, since then I did not find any scan for ssh...
    For that purpose I disabled the ISPConfig firewall (because it does not let me close port 22) and set it up on the shell via firehol
     
  10. nenad

    nenad Member

    When attack occurs, and that could be in middle of night, I don't have time to ask for "graylist". Password chechk which occurs dozen times pre second can put significant load on server. Only "ban" method is solutions in such occurences.
     
  11. Ben

    Ben Active Member Moderator

    ah ok...

    10 characters
     
  12. nenad

    nenad Member

    I don't understand those "10 characters" ?

    if you mean "10 characters long password" I can't control how many characters will be long any of password for any of users of my servers.

    besides that, that does not prevent load on smtp/pop3 servers. and in case of break in of password, smtp server might be used for sending spam for a days even weeks befor esomeone notice that. usually you notice that when your servers ip is on the RBL ... unfortunatelly, or through high load or traffic for smtp server.

    last week ther was incided that I hacker tryed to break in pop3 , obviously he was very interested in reading someones emails.... and unfortunattely it was my personal email...
     
  13. spunk

    spunk New Member


    I installed ISPConfig for the first time yesterday and was amazed at it's capabilities. A very big "thank you" to all the developers.

    DenyHosts has worked very well for me in the past on some other servers I have built and I will be installing it on my ISPConfig server. Until then, I made a few changes to the default sshd_config settings from my new install to increase the security of ssh. I set PermitRootLogin to "no" and added AllowUsers to just my personal login. Just these two changes alone will tighten up your ssh quite a bit. If you want to go further, changing the port sshd listens to is a great idea, as is using crypto keys instead of password authentication.
     
  14. AlArenal

    AlArenal New Member

    I user fail2ban and did not encaunter major problems by now. I use it for SSH, FTP and some stuff I wrote by myself (in conjunction with mod_security). It seems to be a pretty popular tool and it's easily configurable.
     
  15. anmsid

    anmsid New Member

  16. lyndros

    lyndros New Member

    i use blockhost but the problem with this daemons (blockhosts, denyhosts...), is that monitored services must be not running as stand alone servers. so if u have a hosting server, normally u must run ftp servirce as stand alone server to increase the performance, but then u can't ban failed loggin attemps....

    any idea then?

    i'd like to know too, how to ban bots trying to find scripts on the server? but i still dont know how...

    any help would be appreciated guys

    thk u all
     
  17. stargazer

    stargazer Member HowtoForge Supporter

    move ssh to different port

    I also moved ssh port and did not worry about 22 being closed as there is nothing listening on it. What is the difference? Curious, but since there is no daemon listening on the port it seems like it makes no difference if it is open. Please advise.
     
  18. falko

    falko Super Moderator Howtoforge Staff

    Why don't you try fail2ban?
     
  19. falko

    falko Super Moderator Howtoforge Staff

    If there's nothing running on that port, you don't need to close it in your firewall.
     
  20. lyndros

    lyndros New Member

    thks falko i've checked fail2ban and it seems that is just perfect for me.

    thks again :)
     

Share This Page