[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Great IP Auto-Ban script
- To: <luci-discuss@luci.org>
- Subject: Great IP Auto-Ban script
- From: "John Wolgamot" <wolgamot@gmail.com>
- Date: Fri, 1 Sep 2006 14:34:32 -0500
- DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:from:to:subject:date:mime-version:content-type:content-transfer-encoding:x-mailer:thread-index:x-mimeole:message-id; b=qnpTt2QU8+mhgnRPe74kV/8owrq2r/mkOUBY3hDgAMT3Ce7xO65yvVjcKtPQifClLoHJgN0kAAU6sM3HbiGuR30LNNStE6MJ+LzwdlKruKIYkClUl8O0R8T1L8A9d1u3ziBFCilZCC/14ZeADm4AYa7xdWaRbmqrIIxzTc9Tpek=
- Organization: Linux Users of Central Illinois
- Reply-To: luci-discuss@luci.org
- Sender: luci-discuss-owner@luci.org
- Thread-Index: AcbN/aX7D+va9JkhQkWpKW/SmaLi8A==
I found a great new brute force security script. At least it seems that way
to me.
I have always worried about ip's being open to the world but to close them
off creates an inconvenience for users who do not have static ip's.
On our private server I used pop3s to secure the passwords but as soon as a
users home ip address changed, they would be locked out of the system.
I now use both pop3-s and imap-s with dovecot/postfix setup to secure the
passwords but still the closed ports are an aggravation.
If anyone remembers me asking this... I asked if there was a way to do with
ssh as you can do with Webmin.
Webmin can be set to pause after <USER DEFINED> failed login attempts. You
can tell it to disallow another login attempt for <USER DEFINED> length of
time. This would seem to make a brute force attack practically impossible
because they can only try 3 times every hour. That is what I have it set to.
I have never seen anyone attempting this on Webmin in my logs because I
changed the default port number but better to be safe and deny after 3
attempts.
However I was told that ssh has no restriction of this type.
Last night I google this:
http://www.google.com/search?q=linux+brute+force+monitor
and found this:
http://www.ducea.com/2006/07/03/using-fail2ban-to-block-brute-force-attacks/
I made 3 changes to the fail2ban.conf file and it seems to work great.
1. I entered allowed attempts before a ban would occur.
2. How long to ban the ip
3. I entered one of my static ip's as a trusted ip in case the script ever
banned me from my house I can login to a system across town and ssh into the
system from that systems static ip which will never get banned.
At the shell prompt I can type iptables -list
and I get back the numbers which are banned:
Chain fail2ban-SSH (1 references)
target prot opt source destination
DROP all -- 121.150.30.7 anywhere
RETURN all -- anywhere anywhere
It was alarming to see how many attempts were tried from this address
211.151.248.181 Like hundreds and hundreds of attempts.
You can tell fail2ban to do its magic with iptables or hosts.deny
-John
-
To unsubscribe, send email to majordomo@luci.org with
"unsubscribe luci-discuss" in the body.