I am getting 2000+ attempts to gain access to my fedora server on a daily basis. I am fairly confident that no breach has been made. But is there a way to stop these attempts. Say after 10 failed attempts to automatically block the ip address. sample log output
Like Hagforce suggest, change the port, or use a firewall rule to only accept your IP on that port An other option (and nice way) is using Port Knocking. More info @ http://www.portknocking.org/
Hi! You should try DenyHosts. There's a howto on Howtoforge about it http://www.howtoforge.com/preventing_ssh_dictionary_attacks_with_denyhosts
I use Fail2Ban on my boxes. It's a simple apt-get (assuming you're using Debian) away and I only change three things in /etc/fail2ban.conf: 1. I turn email notifications on 2. I enter my email address 3. I put my own IP into the ignore section It monitors SSH by default but you can turn on other ports as well.
You can lock down SSH access to only certain IP addresses, look here for the how-to: http://www.howtoforge.com/forums/showthread.php?t=6209 Regards Matt
Fail2Ban sounds nice.... This would be effective on smtp, pop, imap and ftp to? Or is it a bad idea to use on public servers? I would like to configure that user IPs that enter invalid user or password 20 times get blocked for 60 minutes, is this possible? Is it easy to monitore witch IPs that is blocked? This would be nice
Yes you can block any protocol you like as long as you know which port it listens on. Well if you block smtp and pop on a public server you will limit who can send and receive email, ftp could work I suppose as long as you know the source IP and the user wont be using different internet connections. Regards Matt
What do you mean you will limit who can send and receive email.... I thought this was a program for blocking brute force.... Do you mean that it counts sucsessfull login attempts also, so if one user checks his mail 20 times in short time, the IP will be blocked.... Any tips on this cind of setup?
I think it's a fabulous idea to use on public servers. If you set the failed passwords at something like 10 or so, then you'll really make brute force attacks difficult. And any user that enters their password wrong 10 times in x number of minutes is really too stupid to use your server anyway There are 'unban' settings, yes. You can ban for specific periods of time. It can even use deny/allow hosts files if you don't have access to IPTables (as some VPSes don't depending on their setup). Check out the docs. They're really short and easy to understand. http://www.fail2ban.org/wiki/index.php/Main_Page
While I love OSSEC, it isn't trivial to setup or configure properly. And for protection of your own server, seems like Fail2Ban would be the ticket.
It does not seem like fail2ban supports services like dovecot, postfix, pop3 I run on my server. Anybody tried this?
