<br><font size=2 face="sans-serif">If you are talking about restricting
"hacking" attempts across multiple services (like ssh, smtp and
http) then you are beginning to move into the realm of an IDS solution
(like Snort)</font>
<br>
<br><font size=2 face="sans-serif">Currently I use denyhosts plus iptables
blacklist for ssh on the servers side (plus multiple layers of firewall
devices in front of the servers)... I could go with either denyhosts OR
iptables, but I believe multiple methods is prudent in case one method
fails</font>
<br>
<br><font size=2 face="sans-serif">This is what my (editted) iptables listing
looks like for the blacklisting</font>
<br>
<br><font size=2 face="sans-serif">Chain INPUT (policy DROP)</font>
<br><font size=2 face="sans-serif">target prot opt source
destination</font>
<br><font size=2 face="sans-serif">SSH tcp --
anywhere anywhere
state NEW tcp dpt:ssh</font>
<br>
<br><font size=2 face="sans-serif">Chain BLACKLIST (3 references)</font>
<br><font size=2 face="sans-serif">target prot opt source
destination</font>
<br><font size=2 face="sans-serif"> all
-- anywhere anywhere
recent: SET name: BLACKLIST side:
source</font>
<br><font size=2 face="sans-serif">DROP all --
anywhere anywhere</font>
<br>
<br><font size=2 face="sans-serif">Chain SSH (1 references)</font>
<br><font size=2 face="sans-serif">target prot opt source
destination</font>
<br><font size=2 face="sans-serif">DROP all --
anywhere anywhere
recent: UPDATE seconds: 3600 hit_count:
1 name: BLACKLIST side: source</font>
<br><font size=2 face="sans-serif"> all
-- anywhere anywhere
recent: SET name: COUNT1 side:
source</font>
<br><font size=2 face="sans-serif"> all
-- anywhere anywhere
recent: SET name: COUNT2 side:
source</font>
<br><font size=2 face="sans-serif"> all
-- anywhere anywhere
recent: SET name: COUNT3 side:
source</font>
<br><font size=2 face="sans-serif">BLACKLIST all -- anywhere
anywhere
recent: UPDATE seconds: 60 hit_count: 5 name: COUNT1
side: source</font>
<br><font size=2 face="sans-serif">BLACKLIST all -- anywhere
anywhere
recent: UPDATE seconds: 300 hit_count: 10 name: COUNT2
side: source</font>
<br><font size=2 face="sans-serif">BLACKLIST all -- anywhere
anywhere
recent: UPDATE seconds: 1800 hit_count: 20 name: COUNT3
side: source</font>
<br><font size=2 face="sans-serif">ACCEPT all -- anywhere
anywhere</font>
<br>
<br><font size=2 face="sans-serif">So if someone connects via ssh more
than 5 times in one minute, 10 times in 5 minutes or 20 times in 30 minutes,
they are blacklisted for an hour... </font>
<br>
<br>
<br>
<br>
<br>
<br>
<table width=100%>
<tr valign=top>
<td width=40%><font size=1 face="sans-serif"><b>"Neil Aggarwal"
<neil@JAMMConsulting.com></b> </font>
<br><font size=1 face="sans-serif">Sent by: centos-bounces@centos.org</font>
<p><font size=1 face="sans-serif">07/09/2009 09:57 AM</font>
<table border>
<tr valign=top>
<td bgcolor=white>
<div align=center><font size=1 face="sans-serif">Please respond to<br>
CentOS mailing list <centos@centos.org></font></div></table>
<br>
<td width=59%>
<table width=100%>
<tr valign=top>
<td>
<div align=right><font size=1 face="sans-serif">To</font></div>
<td><font size=1 face="sans-serif">"'CentOS mailing list'" <centos@centos.org></font>
<tr valign=top>
<td>
<div align=right><font size=1 face="sans-serif">cc</font></div>
<td>
<tr valign=top>
<td>
<div align=right><font size=1 face="sans-serif">Subject</font></div>
<td><font size=1 face="sans-serif">[CentOS] Looking for recommendations
for blocking hacking attempts</font></table>
<br>
<table>
<tr valign=top>
<td>
<td></table>
<br></table>
<br>
<br>
<br><tt><font size=2>Hello:<br>
<br>
I have been looking into projects that will automatically<br>
restrict hacking attempts on my servers running CentOS 5.<br>
<br>
I think the two top contenders are:<br>
DenyHosts - </font></tt><a href=http://denyhosts.sourceforge.net/><tt><font size=2>http://denyhosts.sourceforge.net<br>
Fail2ban - </font></tt><a href=http://www.fail2ban.org/><tt><font size=2>http://www.fail2ban.org<br>
<br>
>From what I see, DenyHosts only blocks based on failed<br>
SSH attempts whereas Fail2ban blocks failed attempts<br>
for other access as well.<br>
<br>
The main benefit I see from DenyHosts is their synchronization<br>
service where my servers can proactively block hosts recognized<br>
by other users of their service.<br>
<br>
Does anyone have experience with these tools and have<br>
recommendations?<br>
<br>
Thanks,<br>
Neil<br>
<br>
--<br>
Neil Aggarwal, (281)846-8957, www.JAMMConsulting.com<br>
Will your e-commerce site go offline if you have<br>
a DB server failure, fiber cut, flood, fire, or other disaster?<br>
If so, ask me about our geographically redudant database system.<br>
<br>
_______________________________________________<br>
CentOS mailing list<br>
CentOS@centos.org<br>
</font></tt><a href=http://lists.centos.org/mailman/listinfo/centos><tt><font size=2>http://lists.centos.org/mailman/listinfo/centos<br>
</font></tt></a></a></a>
<br>
<pre></PRE><p><span style="font-size:9.5pt;line-height:115%;font-family: Arial">This transmission is intended solely for the person or organization to whom it is addressed and it may contain privileged and confidential information. If you are not the intended recipient you should not copy, distribute or take any action in reliance on it. If you believe you received this transmission in error, please notify the sender.</span></p>