So, as title says I am interested in findig the best possible way to ban all of IP's from where failed logins originate for ssh, ftp, pop3 and smtp services. I past few days few hackers from China are permanently trying to login in any/all of those services. My complaints to their network's hostmasteers were hopeless. As I am still under attack 24h daily, I am open to all sugestions. P.S. DenyHosts installed for SSH. Logcheck too.
For SSH I have this running: http://www.howtoforge.com/preventing_ssh_dictionary_attacks_with_denyhosts on Debian Sarge and a SuSE 9.2 server Oh, you have DenyHosts already ^^
Thank you. After I reported attacks to china network hostmaster attacks siezed, for now. But I will install some of these solutions. BTW does DenyHosts and BlockHosts interfere one with another? on the other hand I have toughts about installing FreeSCO or IPCop on separate machine instead of hardware router...? Which one is better FreeSCO or IPCop ?
Some people are claiming that there are some problems with it. BTW all of the solutions are mostly for SSH or FTP but I need solutions for SMTP and POP3 as I noticed that hackers are trying to break in mail server too. Probably they want to use it for spaming. What is the best solution to keep seafe mail server from brute force password crack?
One thing for smtp stuff from china would be greylisting... (postgrey)... If I got the time I will post sth. how to use with ISPConfig... Regarding the SSH-Stuff, I just moved my SSH port, since then I did not find any scan for ssh... For that purpose I disabled the ISPConfig firewall (because it does not let me close port 22) and set it up on the shell via firehol
When attack occurs, and that could be in middle of night, I don't have time to ask for "graylist". Password chechk which occurs dozen times pre second can put significant load on server. Only "ban" method is solutions in such occurences.
I don't understand those "10 characters" ? if you mean "10 characters long password" I can't control how many characters will be long any of password for any of users of my servers. besides that, that does not prevent load on smtp/pop3 servers. and in case of break in of password, smtp server might be used for sending spam for a days even weeks befor esomeone notice that. usually you notice that when your servers ip is on the RBL ... unfortunatelly, or through high load or traffic for smtp server. last week ther was incided that I hacker tryed to break in pop3 , obviously he was very interested in reading someones emails.... and unfortunattely it was my personal email...
I installed ISPConfig for the first time yesterday and was amazed at it's capabilities. A very big "thank you" to all the developers. DenyHosts has worked very well for me in the past on some other servers I have built and I will be installing it on my ISPConfig server. Until then, I made a few changes to the default sshd_config settings from my new install to increase the security of ssh. I set PermitRootLogin to "no" and added AllowUsers to just my personal login. Just these two changes alone will tighten up your ssh quite a bit. If you want to go further, changing the port sshd listens to is a great idea, as is using crypto keys instead of password authentication.
I user fail2ban and did not encaunter major problems by now. I use it for SSH, FTP and some stuff I wrote by myself (in conjunction with mod_security). It seems to be a pretty popular tool and it's easily configurable.
Hi I use OSSEC-HIDS, it works prefectly in one of my production server Thanks to the tutorial for installing OSSEC-HIDS: http://www.howtoforge.com/intrusion_detection_with_ossec_hids
i use blockhost but the problem with this daemons (blockhosts, denyhosts...), is that monitored services must be not running as stand alone servers. so if u have a hosting server, normally u must run ftp servirce as stand alone server to increase the performance, but then u can't ban failed loggin attemps.... any idea then? i'd like to know too, how to ban bots trying to find scripts on the server? but i still dont know how... any help would be appreciated guys thk u all
move ssh to different port I also moved ssh port and did not worry about 22 being closed as there is nothing listening on it. What is the difference? Curious, but since there is no daemon listening on the port it seems like it makes no difference if it is open. Please advise.
