View Full Version : Security/automatic ban on too many ssh attempts
There's a program called authfail which seems to do what I want, but it doesn't work on CentOS 4 for some reason.
I look at my security log and see that the server gets hit pretty hard with bad SSH login attempts. It's obviously a script because it goes through usernames alphabetically.
I want something that will automatically add the violating IP to IPTables after several failed attempts.
Any suggestions?
nobaloney
01-04-2007, 09:40 AM
How about the APF+BFD firewall? It should do what you want.
Jeff
vandal
01-04-2007, 11:12 AM
yup apf+bfd will do that. You can configure it for ftpd etc. as well to ban ips after a certain number of bunk attempts.
thanks for the replies! i'll give it a shot.
xemaps2
01-04-2007, 12:43 PM
apf+bfd is good
a good idea is to stop ssh through panel, and start when needed
chatwizrd
01-04-2007, 02:49 PM
http://denyhosts.sourceforge.net
bfd doesn't seem to stay running. i execute the command and it just returns output.
ps aux|grep bfd only returns my grep command.
here is how i'm starting it
/usr/local/sbin/bfd -s
am i missing something here?
vandal
01-05-2007, 09:53 AM
bfd is run on cron every x minutes to check the logs and then add the ip of bad people into apf /etc/apf/deny_hosts
ok thanks. is there a recommended frequency? .. maybe 5 minutes?
vandal
01-05-2007, 10:32 AM
I think the default is 8 minutes. It would depend on server load etc..
Make sure you put your home ips in allow_hosts so you don't get banned :)
thanks a lot. it seems to have been running ok for the past few hours. i have these lines in my bfd log though
Jan 5 09:40:01 cp BFD(7508): locked subsystem, already running ? (/usr/local/bfd/lock.utime is 0 seconds old), aborting.
Jan 5 10:40:01 cp BFD(4879): locked subsystem, already running ? (/usr/local/bfd/lock.utime is 0 seconds old), aborting.
Jan 5 11:00:01 cp BFD(25923): locked subsystem, already running ? (/usr/local/bfd/lock.utime is 0 seconds old), aborting.
Jan 5 11:40:02 cp BFD(8696): locked subsystem, already running ? (/usr/local/bfd/lock.utime is 0 seconds old), aborting.
Jan 5 12:00:01 cp BFD(25768): locked subsystem, already running ? (/usr/local/bfd/lock.utime is 0 seconds old), aborting.
i'm looking forward to seeing some real info.
vandal
01-05-2007, 01:34 PM
not sure what that is. But did you config it email you when it has blocked someone?
yes. based on the history of my secure log, it should not be long before i get some action.
i found this in the config:
# lock file timeout in seconds
LOCK_TIMEOUT="620"
maybe that has something to do with the errors. it's probably not a big deal.
pucky
01-07-2007, 10:07 PM
Howabout moving ssh to another port instead of messing around?
it's actually blocking IPs which try to break into via SSH2 on non-standard ports as well. cool!
xemaps2
01-09-2007, 08:25 PM
again,
stop simply ssh with DA panel,
but have APF+BFD
which is better than denyhosts (some very bad security alert last time)
Originally posted by xemaps2
stop simply ssh with DA panel i use ssh everyday.
Powered by vBulletin® Version 4.2.5 Copyright © 2018 vBulletin Solutions Inc. All rights reserved.