Fred Stluka on 24 Aug 2018 14:17:59 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Linux tip: Log IP addresses, not hostnames, for use by fail2ban...


Michael,

Yeah, I use key pairs also.  And have configured ssh to not allow
root logins, only a VERY small list of non-standard usernames.  So,
all the hackers trying to guess the passwords for root, apache, and
a bunch of others are just wasting their time.  I still like fail2ban
since it chases off hackers in a lightweight way, and tips them to
the fact that I have active security measures in place, so they should
go elsewhere to look for an easier target.

Blocklist look interesting.  Thanks!

--Fred
------------------------------------------------------------------------
Fred Stluka -- Bristle Software, Inc. -- http://bristle.com
#DontBeATrump -- Make America Honorable Again!
------------------------------------------------------------------------

On 8/17/18 4:08 PM, Michael Lazin wrote:
I used to use this for fail2ban auto reporting:

http://www.blocklist.de/en/index.html

Just be aware it makes server load because it sends mail via exim to report the attacks to blocklist.de <http://blocklist.de>, who in turn report it to the attacking ISPs.  I used to work at a large webhosting company and we would get reports from them.  I've come to really prefer using ssh key pairs which aws and azure force you to use.  Key pairs obviate the need for fail2ban.

Cheers,

Michael

On Fri, Aug 17, 2018 at 3:42 PM, Fred Stluka <fred@bristle.com <mailto:fred@bristle.com>> wrote:

    Linux admins,

    As you may have noticed, there's been a massive upswing in hacking
    attempts from China in the past couple weeks.  My servers now get
    hit an additional hundreds or thousands of times per day. You may
    want to check your logs and beef up your security.

    See my recently posted tip:
    - Log IP addresses for fail2ban
    http://bristle.com/Tips/Unix.htm#log_ip_addresses_for_fail2ban
    <http://bristle.com/Tips/Unix.htm#log_ip_addresses_for_fail2ban>

    It describes a change I had to make to my FTP server to get fail2ban
    to properly block attackers who were gaming their own DNS entries.

    --Fred
    ------------------------------------------------------------------------
    Fred Stluka -- Bristle Software, Inc. -- http://bristle.com
    #DontBeATrump -- Make America Honorable Again!
    ------------------------------------------------------------------------

    ___________________________________________________________________________
    Philadelphia Linux Users Group         -- http://www.phillylinux.org
    Announcements -
    http://lists.phillylinux.org/mailman/listinfo/plug-announce
    <http://lists.phillylinux.org/mailman/listinfo/plug-announce>
    General Discussion  --
    http://lists.phillylinux.org/mailman/listinfo/plug
    <http://lists.phillylinux.org/mailman/listinfo/plug>




--
Michael Lazin

to gar auto estin noein te kai ennai


___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug