Re: [PLUG] SSH brute force attacks using PlcmSpIp

Fred Stluka on 8 Jun 2012 11:53:11 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] SSH brute force attacks using PlcmSpIp

From: Fred Stluka <fred@bristle.com>
To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
Subject: Re: [PLUG] SSH brute force attacks using PlcmSpIp
Date: Fri, 08 Jun 2012 14:53:05 -0400
Authentication-results: cm-omr6 smtp.user=fred@bristle.com; auth=pass (LOGIN)
Organization: Bristle Software, Inc.
Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Sender: plug-bounces@lists.phillylinux.org
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:11.0) Gecko/20120313 Thunderbird/11.0

+1 for fail2ban.

I also use logwatch and tripwire.  It's a nice combination:
- logwatch -- see all the hackers trying to get in
- fail2ban -- block the persistent hackers and see much
                     smaller numbers in the logwatch reports
- tripwire -- tell me if anyone did get in
See my summary of each of these, and also port-knocking
(which I have not yet set up) at:
    http://bristle.com/Tips/Unix.htm#unix_security

By default fail2ban blocks an IP address for 10 minutes after
3 failed attempts within 10 minutes.  However, I found that
some automated brute force attacks take this into account
and time things accordingly.  They come back 11 minutes
after being blocked, try every 4 minutes or so to avoid being
blocked, etc.  Therefore, I changed the settings to block for
much longer after fewer attempts within more time.  If I or
another valid user get locked out accidentally at one IP address,
I can always come in via the IP address of another server, and
remove the block.

For those occasions when I want to block an IP permanently,
I wrote scripts:
    http://bristle.com/Tips/Unix/ipblock
    http://bristle.com/Tips/Unix/ipunblock

I also lock down ssh to disallow root login and to only allow
a couple of specific users to login.  And I configure sudo, so
that specific users can do privileged operations, and no one
ever has to su to root.  All ssh access is via keys, not
passwords, so I wrote a script to make it easy to generate keys
and/or push them a new server:
    http://bristle.com/Tips/Unix/authorize_ssh_key

--Fred
------------------------------------------------------------------------
Fred Stluka -- mailto:fred@bristle.com -- http://bristle.com/~fred/
Bristle Software, Inc -- http://bristle.com -- Glad to be of service!
Open Source: Without walls and fences, we need no Windows or Gates.
------------------------------------------------------------------------

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

References:
- [PLUG] SSH brute force attacks using PlcmSpIp
  - From: JP Vossen <jp@jpsdomain.org>
- Re: [PLUG] SSH brute force attacks using PlcmSpIp
  - From: Douglas Muth <doug.muth@gmail.com>
- Re: [PLUG] SSH brute force attacks using PlcmSpIp
  - From: Nicholas Gasparovich <nick@gasponet.com>
- Re: [PLUG] SSH brute force attacks using PlcmSpIp
  - From: Sam Gleske <sam.mxracer@gmail.com>
- Re: [PLUG] SSH brute force attacks using PlcmSpIp
  - From: Sam Gleske <sam.mxracer@gmail.com>
- Re: [PLUG] SSH brute force attacks using PlcmSpIp
  - From: brent timothy saner <brent.saner@gmail.com>
- Re: [PLUG] SSH brute force attacks using PlcmSpIp
  - From: Rich Freeman <r-plug@thefreemanclan.net>

Prev by Date: Re: [PLUG] Linux Gaming
Next by Date: Re: [PLUG] Linux Gaming
Previous by thread: Re: [PLUG] SSH brute force attacks using PlcmSpIp
Next by thread: Re: [PLUG] SSH brute force attacks using PlcmSpIp
Index(es):
- Date
- Thread