Security/automatic ban on too many ssh attempts

[sde]

There's a program called authfail which seems to do what I want, but it doesn't work on CentOS 4 for some reason.

I look at my security log and see that the server gets hit pretty hard with bad SSH login attempts. It's obviously a script because it goes through usernames alphabetically.

I want something that will automatically add the violating IP to IPTables after several failed attempts.

Any suggestions?

 

[nobaloney]

How about the APF+BFD firewall? It should do what you want.

Jeff

 

[vandal]

yup apf+bfd will do that. You can configure it for ftpd etc. as well to ban ips after a certain number of bunk attempts.

 

[sde]

thanks for the replies! i'll give it a shot.

 

[xemaps2]

apf+bfd is good

a good idea is to stop ssh through panel, and start when needed

 

[chatwizrd]

http://denyhosts.sourceforge.net

 

[sde]

bfd doesn't seem to stay running. i execute the command and it just returns output.

ps aux|grep bfd only returns my grep command.

here is how i'm starting it

/usr/local/sbin/bfd -s

am i missing something here?

 

[vandal]

bfd is run on cron every x minutes to check the logs and then add the ip of bad people into apf /etc/apf/deny_hosts

 

[sde]

ok thanks. is there a recommended frequency? .. maybe 5 minutes?

 

[vandal]

I think the default is 8 minutes. It would depend on server load etc..

Make sure you put your home ips in allow_hosts so you don't get banned

 

[sde]

thanks a lot. it seems to have been running ok for the past few hours. i have these lines in my bfd log though

Jan  5 09:40:01 cp BFD(7508): locked subsystem, already running ? (/usr/local/bfd/lock.utime is 0 seconds old), aborting.
Jan  5 10:40:01 cp BFD(4879): locked subsystem, already running ? (/usr/local/bfd/lock.utime is 0 seconds old), aborting.
Jan  5 11:00:01 cp BFD(25923): locked subsystem, already running ? (/usr/local/bfd/lock.utime is 0 seconds old), aborting.
Jan  5 11:40:02 cp BFD(8696): locked subsystem, already running ? (/usr/local/bfd/lock.utime is 0 seconds old), aborting.
Jan  5 12:00:01 cp BFD(25768): locked subsystem, already running ? (/usr/local/bfd/lock.utime is 0 seconds old), aborting.

i'm looking forward to seeing some real info.

 

[vandal]

not sure what that is. But did you config it email you when it has blocked someone?

 

[sde]

yes. based on the history of my secure log, it should not be long before i get some action.

i found this in the config:

# lock file timeout in seconds
LOCK_TIMEOUT="620"

maybe that has something to do with the errors. it's probably not a big deal.

 

[pucky]

Howabout moving ssh to another port instead of messing around?

 

[sde]

it's actually blocking IPs which try to break into via SSH2 on non-standard ports as well. cool!

 

[xemaps2]

again,
stop simply ssh with DA panel,
but have APF+BFD
which is better than denyhosts (some very bad security alert last time)

 

[sde]

stop simply ssh with DA panel

i use ssh everyday.