Brute Force Attacks

S

ssi.inc

Verified User
Joined
Oct 9, 2005
Messages
22
I've seen an increase in the amount of dictionary attacks my server is getting of late. I've hardened ssh with public/private key requirements so I'm not too worried about that. I am somewhat worried about the sheer number of attacks FTP is getting . The attacker will max out my allowed connections and just beat on the ftp server untill I turn off the service. I can ban the IP, but they are back in a matter of seconds on a new IP.

What can a person do to stem these attacks? I've seen sugestions to use APF and I have installed it and played around with it. But to be honest, I just don't understand the program well enough. It isn't doccumented well enough for a person of my skill level to be usable. (I can't get ftp to function with APF on)

So I have a couple of questions:
How worried should I be about these kinds of brute force atttack. (Asside from the fact that they, in essence, DoS my ftp server)
Is there a reasonbly documented method of preventing these brute force attacks?

Reporting these people to the companies that lease them the offending IPs seems pointless. Nothing really changes.
 
Last edited:
which OS/firewall ?

it's straightforward to deal with this
using pf (packet filter), running on any
BSD variety. you could limit the number
of concurrent connections, limit per IP
if you wish, per ISP block, per user,
or per anything you like almost.

if you've a simpler firewall, then blocking
as you do maybe the only resort, but
blocking an IP address for some time
is a bit pointles - you'd need to block the
ISP's whole range for a bit. rather crude,
but if you're stuck on linux, you've little
choice realistically.
 
CentOS 4.1

IPTables

At this time I have the entirety of Asia banned from the server at the firewall. I really don't feel bad about that. Most of my attacks were coming from there, and I have no customers doing business with or from that area.

I've contemplated BSD, but the thought of another server migration gives me seasures.
 
yep - blocking Asia can only make sense.

blocking a few US datacenters would help
too, especially if they supply windows
servers - pf is fairly good a blocking by
os - in fact blocking out win 9x users
from the internet could do no harm.
 
A solution might be to use BFD in combination with APF. Banning an entire continent might sound as a solution but it's far from ideal of course.

Sample report:
The remote system 192.168.0.1 was found to have exceeded acceptable login failures on hostname.domain.com; there was 30 events to the service proftpd. As such the attacking host has been banned from further accessing this system. For the integrity of your host you should investigate this event as soon as possible.

Executed ban command:
/etc/apf/apf -d 192.168.0.1 {bfd.proftpd}
Click to expand...
 
Not that I want to start an argument or anything...

but IPTables is at least as good as anything FreeBSD has to offer.

And Advanced Policy Firewall with Brute Force Detectin (APF/BFD) is absolutely state of the art, and does precisely what the original poster is looking for.

Unfortunately the poster has already stated he doesn't have the ability to properly set up APF/BFD.

ssi.inc, I recommend you either take the time learn APF/BFD (it isn't really that complex) or if you don't have the time for that, perhaps hiring a consultancy to do the setup for you.

Once it's properly installed, APF/BFD doesn't require management.

Jeff
 
netswitch said:
I second jeff, we are using apf / bfd and it is working really smooth.
Click to expand...

bfd is not to fast, i am getting hourly reports of 600-1000 attempts...bfd is a bit slow
 
You must log in or register to reply here.
Back
Top