If you are talking about restricting
"hacking" attempts across multiple services (like ssh, smtp and
http) then you are beginning to move into the realm of an IDS solution
(like Snort)
Currently I use denyhosts plus iptables
blacklist for ssh on the servers side (plus multiple layers of firewall
devices in front of the servers)... I could go with either denyhosts OR
iptables, but I believe multiple methods is prudent in case one method
fails
This is what my (editted) iptables listing
looks like for the blacklisting
Chain INPUT (policy DROP)
target prot opt source
destination
SSH tcp --
anywhere anywhere
state NEW tcp dpt:ssh
Chain BLACKLIST (3 references)
target prot opt source
destination
all
-- anywhere anywhere
recent: SET name: BLACKLIST side:
source
DROP all --
anywhere anywhere
Chain SSH (1 references)
target prot opt source
destination
DROP all --
anywhere anywhere
recent: UPDATE seconds: 3600 hit_count:
1 name: BLACKLIST side: source
all
-- anywhere anywhere
recent: SET name: COUNT1 side:
source
all
-- anywhere anywhere
recent: SET name: COUNT2 side:
source
all
-- anywhere anywhere
recent: SET name: COUNT3 side:
source
BLACKLIST all -- anywhere
anywhere
recent: UPDATE seconds: 60 hit_count: 5 name: COUNT1
side: source
BLACKLIST all -- anywhere
anywhere
recent: UPDATE seconds: 300 hit_count: 10 name: COUNT2
side: source
BLACKLIST all -- anywhere
anywhere
recent: UPDATE seconds: 1800 hit_count: 20 name: COUNT3
side: source
ACCEPT all -- anywhere
anywhere
So if someone connects via ssh more
than 5 times in one minute, 10 times in 5 minutes or 20 times in 30 minutes,
they are blacklisted for an hour...
"Neil Aggarwal"
<neil@JAMMConsulting.com>
Sent by: centos-bounces@centos.org
07/09/2009 09:57 AM
Please respond to
CentOS mailing list <centos@centos.org> |
|
To
| "'CentOS mailing list'" <centos@centos.org>
|
cc
|
|
Subject
| [CentOS] Looking for recommendations
for blocking hacking attempts |
|
Hello:
I have been looking into projects that will automatically
restrict hacking attempts on my servers running CentOS 5.
I think the two top contenders are:
DenyHosts - http://denyhosts.sourceforge.net
Fail2ban - http://www.fail2ban.org
>From what I see, DenyHosts only blocks based on failed
SSH attempts whereas Fail2ban blocks failed attempts
for other access as well.
The main benefit I see from DenyHosts is their synchronization
service where my servers can proactively block hosts recognized
by other users of their service.
Does anyone have experience with these tools and have
recommendations?
Thanks,
Neil
--
Neil Aggarwal, (281)846-8957, www.JAMMConsulting.com
Will your e-commerce site go offline if you have
a DB server failure, fiber cut, flood, fire, or other disaster?
If so, ask me about our geographically redudant database system.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
This transmission is intended solely for the person or organization to whom it is addressed and it may contain privileged and confidential information. If you are not the intended recipient you should not copy, distribute or take any action in reliance on it. If you believe you received this transmission in error, please notify the sender.