Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Gentoo: User

Blocking login attempts to sshd and vsftpd

  

 
Gentoo user RSS feed   Index | Next | Previous | View Threaded


richardmarzan at optonline

Nov 14, 2009, 1:49 PM

Post #1 of 10 (342 views)
Permalink
Blocking login attempts to sshd and vsftpd
I recently check my log files and discovered that there was a dictionary
attack attempt on my daemons. sshd and vsftpd were the primary targets. Is
there a script or tool to block the offending IP addresses using iptables.
Something that checks to see if a minimum of attempts has occured and blocks
them indefinitely based on that?


Regards,
Richard M.


wonko at wonkology

Nov 14, 2009, 2:01 PM

Post #2 of 10 (340 views)
Permalink
Re: Blocking login attempts to sshd and vsftpd [In reply to]
Richard Marza writes:

> I recently check my log files and discovered that there was a
> dictionary attack attempt on my daemons. sshd and vsftpd were the
> primary targets. Is there a script or tool to block the offending IP
> addresses using iptables. Something that checks to see if a minimum of
> attempts has occured and blocks them indefinitely based on that?

I am using net-analyzer/fail2ban for this. There is also app-
admin/denyhosts, which gets a list of offending IPs from a server. But it
may only be for SSH.

Wonko


alan.mckinnon at gmail

Nov 14, 2009, 2:42 PM

Post #3 of 10 (340 views)
Permalink
Re: Blocking login attempts to sshd and vsftpd [In reply to]
On Saturday 14 November 2009 23:49:23 Richard Marza wrote:
> I recently check my log files and discovered that there was a dictionary
> attack attempt on my daemons. sshd and vsftpd were the primary targets. Is
> there a script or tool to block the offending IP addresses using iptables.
> Something that checks to see if a minimum of attempts has occured and
> blocks them indefinitely based on that?


There are HUNDREDS of such solutions out there. Did you even try to Google
first?

fail2ban & denyhosts are quite popular and get the job done.

OSSEC is a full blown IDS that I use at work, it functions very well but is
probably overkill for your needs.

Last hint: You do NOT want to block hosts permanently. Your logs will empty
sure enough, but sooner or later you will lock yourself out, or you will lock
out people you really do want to access your services.

--
alan dot mckinnon at gmail dot com


richardmarzan at optonline

Nov 14, 2009, 4:07 PM

Post #4 of 10 (340 views)
Permalink
Re: Blocking login attempts to sshd and vsftpd [In reply to]
----- Original Message -----
From: "Alan McKinnon" <alan.mckinnon [at] gmail>
To: <gentoo-user [at] lists>
Sent: Saturday, November 14, 2009 5:42 PM
Subject: Re: [gentoo-user] Blocking login attempts to sshd and vsftpd


> On Saturday 14 November 2009 23:49:23 Richard Marza wrote:
>> I recently check my log files and discovered that there was a dictionary
>> attack attempt on my daemons. sshd and vsftpd were the primary targets.
>> Is
>> there a script or tool to block the offending IP addresses using
>> iptables.
>> Something that checks to see if a minimum of attempts has occured and
>> blocks them indefinitely based on that?
>
>
> There are HUNDREDS of such solutions out there. Did you even try to Google
> first?
>
> fail2ban & denyhosts are quite popular and get the job done.
>
> OSSEC is a full blown IDS that I use at work, it functions very well but
> is
> probably overkill for your needs.
>
> Last hint: You do NOT want to block hosts permanently. Your logs will
> empty
> sure enough, but sooner or later you will lock yourself out, or you will
> lock
> out people you really do want to access your services.
>
> --
> alan dot mckinnon at gmail dot com
>


Thank you for the information, I did find that denyhost and fail2ban in
threads but there were issues with it not working properly. Some users
created custom scripts to get the job done correctly. I did try google. I
guess it's no longer my friend. Will try to use another search engine next
time.


waltdnes at waltdnes

Nov 14, 2009, 10:21 PM

Post #5 of 10 (336 views)
Permalink
Re: Blocking login attempts to sshd and vsftpd [In reply to]
On Sat, Nov 14, 2009 at 07:07:28PM -0500, Richard Marza wrote

> Thank you for the information, I did find that denyhost and fail2ban in
> threads but there were issues with it not working properly. Some users
> created custom scripts to get the job done correctly.

Have you considered not allowing password-based logins at all for ssh?
Use RSA keys instead. It's much easier, and much more secure.

--
Walter Dnes <waltdnes [at] waltdnes>


alan.mckinnon at gmail

Nov 15, 2009, 12:42 AM

Post #6 of 10 (334 views)
Permalink
Re: Blocking login attempts to sshd and vsftpd [In reply to]
On Sunday 15 November 2009 08:21:55 Walter Dnes wrote:
> On Sat, Nov 14, 2009 at 07:07:28PM -0500, Richard Marza wrote
>
> > Thank you for the information, I did find that denyhost and fail2ban in
> > threads but there were issues with it not working properly. Some users
> > created custom scripts to get the job done correctly.
>
> Have you considered not allowing password-based logins at all for ssh?
> Use RSA keys instead. It's much easier, and much more secure.

fail2ban and/or denyhosts is still very useful with key-only auth, even if
only to get the spam out of messages and into the iptables logs


--
alan dot mckinnon at gmail dot com


neil at digimed

Nov 15, 2009, 12:55 AM

Post #7 of 10 (334 views)
Permalink
Re: Blocking login attempts to sshd and vsftpd [In reply to]
On Sun, 15 Nov 2009 01:21:55 -0500, Walter Dnes wrote:

> Have you considered not allowing password-based logins at all for ssh?
> Use RSA keys instead. It's much easier, and much more secure.

That doesn't stop the attempts.


--
Neil Bothwick

Quantum leap: (adj.) literally, to move by the smallest amount
theoretically possible. In advertising, to move by the largest leap
imaginable (in the mind of the advertiser). There is no contradiction.
Attachments: signature.asc (0.19 KB)


gentoo-user at konstantinhansen

Nov 15, 2009, 3:22 AM

Post #8 of 10 (332 views)
Permalink
Re: Blocking login attempts to sshd and vsftpd [In reply to]
Richard Marza schrieb:
> I recently check my log files and discovered that there was a dictionary
> attack attempt on my daemons. sshd and vsftpd were the primary targets.
> Is there a script or tool to block the offending IP addresses using
> iptables. Something that checks to see if a minimum of attempts has
> occured and blocks them indefinitely based on that?
>
>
> Regards,
> Richard M.
>

Hi,

I am using that script:
http://blinkeye.ch/dokuwiki/doku.php/projects/blacklist

kh


richardmarzan at optonline

Nov 15, 2009, 5:21 AM

Post #9 of 10 (334 views)
Permalink
Re: Blocking login attempts to sshd and vsftpd [In reply to]
----- Original Message -----
From: "KH" <gentoo-user [at] konstantinhansen>
To: <gentoo-user [at] lists>
Sent: Sunday, November 15, 2009 6:22 AM
Subject: Re: [gentoo-user] Blocking login attempts to sshd and vsftpd


> Richard Marza schrieb:
>> I recently check my log files and discovered that there was a dictionary
>> attack attempt on my daemons. sshd and vsftpd were the primary targets.
>> Is there a script or tool to block the offending IP addresses using
>> iptables. Something that checks to see if a minimum of attempts has
>> occured and blocks them indefinitely based on that?
>>
>>
>> Regards,
>> Richard M.
>>
>
> Hi,
>
> I am using that script:
> http://blinkeye.ch/dokuwiki/doku.php/projects/blacklist
>
> kh
>


This is perfect and more straight-forward than the alternatives. I'm
surprised this isn't one of the most mentioned or talked about in the
threads. Thank you all.


doki_pen at doki-pen

Nov 15, 2009, 10:17 AM

Post #10 of 10 (333 views)
Permalink
Re: Blocking login attempts to sshd and vsftpd [In reply to]
In gmane.linux.gentoo.user, you wrote:
> On Sunday 15 November 2009 08:21:55 Walter Dnes wrote:
>> On Sat, Nov 14, 2009 at 07:07:28PM -0500, Richard Marza wrote
>>
>> > Thank you for the information, I did find that denyhost and fail2ban in
>> > threads but there were issues with it not working properly. Some users
>> > created custom scripts to get the job done correctly.
>>
>> Have you considered not allowing password-based logins at all for ssh?
>> Use RSA keys instead. It's much easier, and much more secure.
>
> fail2ban and/or denyhosts is still very useful with key-only auth, even if
> only to get the spam out of messages and into the iptables logs

I've hardened ssh by doing the following:

* Only allow certain users to ssh
* Not allowing passwd login, but only RSA
* Switching ssh to a non-standard port

This has dramatically reduced the amount of attacks my box gets. It's
down to about 2 attacks per year, which is good enough for me. Another
trick I learned about, but haven't implemented is changing the version
string in sshd by patching the source. Ssh vunarability attacks
actually check the version string, so if you change it to something
unique, the scripts won't even try to get into your box.

Gentoo user RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.