[CentOS] authentication failure

fabien faye fabien at faye.eu
Sat Jan 23 19:30:36 UTC 2010


Hi,

I am a fail2ban user and i am very interested to have an autosent mail to the ip provider of the brute force ip address.
Do you know if it is possible with fail2ban or if we have to rewrite action in fail2ban ?.

Fabien FAYE
RHCE
www.generationip.com
Free network tools & HOWTO for centos and Redhat


----- Mail Original -----
De: "Athmane Madjoudj" <athmanem at gmail.com>
À: "CentOS mailing list" <centos at centos.org>
Envoyé: Samedi 23 Janvier 2010 18:20:01
Objet: Re: [CentOS] authentication failure

On Sat, Jan 23, 2010 at 6:14 PM, madunix <madunix at gmail.com> wrote:
> I noticed that my server has a lot ca. 1000x auth failure from
> different alocated in China / Romania and Netherlands per day since 3
> days
> It looks to me like somebody was trying to get into server by guessing
> my password by brute force.
> what would be the best to stop this attack and how? the server running
> apache mysql and ftp
> PORT     STATE SERVICE
> 21/tcp   open  ftp
> 80/tcp   open  http
> 443/tcp  open  https
> 3306/tcp open  mysql
> ...
> Jan 22 16:07:14 user vsftpd(pam_unix)[17462]: authentication failure;
> logname= uid=0 euid=0 tty= ruser= rhost=195.95.228.150
> Jan 22 16:07:16 user vsftpd(pam_unix)[16737]: check pass; user unknown
> Jan 22 16:07:16 user vsftpd(pam_unix)[16737]: authentication failure;
> logname= uid=0 euid=0 tty= ruser= rhost=195.95.228.150
> Jan 22 16:07:17 user vsftpd(pam_unix)[17462]: check pass; user unknown
> Jan 23 17:23:52 user vsftpd(pam_unix)[20524]: authentication failure;
> logname= uid=0 euid=0 tty= ruser= rhost=221.7.40.47
> Jan 23 17:23:55 user vsftpd(pam_unix)[20524]: check pass; user unknown
> Jan 23 17:23:55 user vsftpd(pam_unix)[20524]: authentication failure;
> logname= uid=0 euid=0 tty= ruser= rhost=221.7.40.47
> Jan 23 17:23:59 user vsftpd(pam_unix)[20524]: check pass; user unknown
> Jan 23 17:24:58 user vsftpd(pam_unix)[20524]: authentication failure;
> logname= uid=0 euid=0 tty= ruser= rhost=221.7.40.47
> Jan 23 00:37:47 user vsftpd(pam_unix)[1791]: check pass; user unknown
> Jan 23 00:37:47 user vsftpd(pam_unix)[1791]: authentication failure;
> logname= uid=0 euid=0 tty= ruser= rhost=217.23.14.168
> Jan 23 00:38:06 user vsftpd(pam_unix)[1791]: check pass; user unknown
> Jan 23 00:38:06 user vsftpd(pam_unix)[1791]: authentication failure;
> logname= uid=0 euid=0 tty= ruser= rhost=217.23.14.168
> ...
>
> Thanks
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>

Maybe a brute force attack, try to install a HIDS like:

APF/BFD: http://www.rfxn.com/projects/advanced-policy-firewall/
                http://www.rfxn.com/projects/brute-force-detection/

Fail2ban: http://www.fail2ban.org/

Fail2ban is available in EPEL repos.

HTH
-- 
Athmane Madjoudj
_______________________________________________
CentOS mailing list
CentOS at centos.org
http://lists.centos.org/mailman/listinfo/centos


More information about the CentOS mailing list