Fred Stluka via plug on 24 Mar 2021 13:35:13 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Web Ass Pfirewall


+1 for fail2ban.

I use logwatch to tell me how many people are rattling
doorknobs looking for an unlocked door.  Without any
other security measures, the counts are scary high.

I also use fail2ban to chase away persistent rattlers.
Now my logwatch counts are MUCH lower.

And I change the default:
- "3 strikes in 10 minutes and you're banned for 10 minutes"
to:
- "3 strikes in a day and you're banned for a week".
No more persistent attempts trying twice every 11 minutes.

I also use tripwire to tell me if anyone actually opens the door.

As well as very restrictive settings in SSH, sudo, firewalls (yes
multiple), SSH keys instead of passwords, etc.

And some home-grown semi-automated ways to propagate
bans from one server to all my servers.

And toss in a little "security via obscurity" just for fun, like
running services on non-standard ports when possible.

Plus a few others that I don't tell people about.  :-)

See:
- http://bristle.com/Tips/Unix.htm#unix_security

--Fred
------------------------------------------------------------------------
Fred Stluka -- http://bristle.com -- Glad to be of service!
Open Source: Without walls and fences, we need no Windows or Gates.
------------------------------------------------------------------------

On 3/17/21 4:46 PM, Chris Thistlethwaite via plug wrote:
+1 for fail2ban. You can setup various bits to keep things banned across multiple servers, but even by itself it's pretty much the go-to solution for banning things.

Too many ssh requests? banned.
Too many http log in failures? banned.
Look at me the wrong way on the street? banned.


-CT

On Wed, Mar 17, 2021 at 4:34 PM Ron Nascimento via plug <plug@lists.phillylinux.org <mailto:plug@lists.phillylinux.org>> wrote:

    Have you looked at fail2ban?

    https://www.fail2ban.org <https://www.fail2ban.org>

    Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs
    that show the malicious signs -- too many password failures, seeking
    for exploits, etc. Generally Fail2Ban is then used to update firewall
    rules to reject the IP addresses for a specified amount of time,
    although any arbitrary other action (e.g. sending an email) could also
    be configured. Out of the box Fail2Ban comes with filters for various
    services (apache, courier, ssh, etc).


    On Wed, 2021-03-17 at 16:29 -0400, Ron Mansolino via plug wrote:
    > I have a vps that I don't do too much with, essentially a dev
    server.
    >
    > Because it sits out on the net it logs an unwieldy number of
    > intrusion attempts and nosey infogathering requests.
    >
    > I've been manually filtering these with iptables, but that isn't
    > scaling well (and it's impossible to block cloud services that
    > continually allocate new netblocks). I'd like to block all of AWS,
    > GCP, etc, but it's like playing whack-a-mole. I could use some
    > suggestions for a WAF that I won't eventually have to pay for.
    >
    > also, did the posting rules change here? I don't check here often,
    > and things aren't working as I expect them to.
    >
    _____________________________________________________________________
    > ______
    > Philadelphia Linux Users Group         --
    > http://www.phillylinux.org <http://www.phillylinux.org>
    > Announcements -
    > http://lists.phillylinux.org/mailman/listinfo/plug-announce
    <http://lists.phillylinux.org/mailman/listinfo/plug-announce>
    > General Discussion  --
    > http://lists.phillylinux.org/mailman/listinfo/plug
    <http://lists.phillylinux.org/mailman/listinfo/plug>

    ___________________________________________________________________________
    Philadelphia Linux Users Group         --
    http://www.phillylinux.org <http://www.phillylinux.org>
    Announcements -
    http://lists.phillylinux.org/mailman/listinfo/plug-announce
    <http://lists.phillylinux.org/mailman/listinfo/plug-announce>
    General Discussion  --
    http://lists.phillylinux.org/mailman/listinfo/plug
    <http://lists.phillylinux.org/mailman/listinfo/plug>



--
-Chris

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug