autoban bruteforce attempts

[Cybex]

Hi,

Once in a while I get an e-mail from DirectAdmin with a bruteforce attempt warning. Now I would like to auto-ban those IP addresses, is there a way I can do this? I am using csf, perhaps it can be done with that?

Regards, John

 

[mr.applesauce]

Yes it can be done with that.

 

[SeLLeRoNe]

Actually i know how to make act csf for ban attempter when the admin click on ban, but, how do that automatically should be interesting to knwo for me aswell.

Regards

 

[dan]

i use fail2ban. i wrote an article on it here: http://www.danneh.org/2010/07/managing-hackdos-attempts-automatically/

i had to modify the default sshd.conf filter, so i'll post what i have in mine;

failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$
            ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
            ^%(__prefix_line)sFailed (?:password|publickey) for .* from <HOST>(?: port \d*)?(?: ssh\d*)?$
            ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
            ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$
            ^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
            ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
            ^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT\s*$

i also have it protecting bruteforce against ftp, bind and dovecot. and i have it email me when it bans something.

of course, this will only work if you've got iptables installed and active.

 

[Cybex]

Yes it can be done with that.

Would you care to tell us how? I'd like to stick with one firewall, csf seems fine so far.