Fred Stluka on 8 Jun 2012 11:53:11 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] SSH brute force attacks using PlcmSpIp

+1 for fail2ban.

I also use logwatch and tripwire.  It's a nice combination:
- logwatch -- see all the hackers trying to get in
- fail2ban -- block the persistent hackers and see much
                     smaller numbers in the logwatch reports
- tripwire -- tell me if anyone did get in
See my summary of each of these, and also port-knocking
(which I have not yet set up) at:

By default fail2ban blocks an IP address for 10 minutes after
3 failed attempts within 10 minutes.  However, I found that
some automated brute force attacks take this into account
and time things accordingly.  They come back 11 minutes
after being blocked, try every 4 minutes or so to avoid being
blocked, etc.  Therefore, I changed the settings to block for
much longer after fewer attempts within more time.  If I or
another valid user get locked out accidentally at one IP address,
I can always come in via the IP address of another server, and
remove the block.

For those occasions when I want to block an IP permanently,
I wrote scripts:

I also lock down ssh to disallow root login and to only allow
a couple of specific users to login.  And I configure sudo, so
that specific users can do privileged operations, and no one
ever has to su to root.  All ssh access is via keys, not
passwords, so I wrote a script to make it easy to generate keys
and/or push them a new server:

Fred Stluka -- --
Bristle Software, Inc -- -- Glad to be of service!
Open Source: Without walls and fences, we need no Windows or Gates.

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --