Hello:
I have been looking into projects that will automatically restrict hacking attempts on my servers running CentOS 5.
I think the two top contenders are: DenyHosts - http://denyhosts.sourceforge.net Fail2ban - http://www.fail2ban.org
From what I see, DenyHosts only blocks based on failed
SSH attempts whereas Fail2ban blocks failed attempts for other access as well.
The main benefit I see from DenyHosts is their synchronization service where my servers can proactively block hosts recognized by other users of their service.
Does anyone have experience with these tools and have recommendations?
Thanks, Neil
-- Neil Aggarwal, (281)846-8957, www.JAMMConsulting.com Will your e-commerce site go offline if you have a DB server failure, fiber cut, flood, fire, or other disaster? If so, ask me about our geographically redudant database system.
On Thu, 2009-07-09 at 09:56 -0500, Neil Aggarwal wrote:
Hello:
I have been looking into projects that will automatically restrict hacking attempts on my servers running CentOS 5.
I think the two top contenders are: DenyHosts - http://denyhosts.sourceforge.net Fail2ban - http://www.fail2ban.org
From what I see, DenyHosts only blocks based on failed
SSH attempts whereas Fail2ban blocks failed attempts for other access as well.
That is incorrect. Denyhosts has a config option named "BLOCK_SERVICE" which can be set to "ALL". Check out the description included in the sample config file.
I have been using Denyhosts for at least 3 years now, and been satisfied enough with it that I have not gone looking for alternatives, so I can't rationally compare it with Fail2ban. I have seen numerous reports on the Web of people being happy with Fail2ban, so I guess it comes down to which one you are comfortable with.
The only other observation I have is that most of my machines have very few services exposed to the Internet. Most services on my Internet-facing boxes are either disabled or limited by firewall rules, so the Denyhosts/Fail2ban layer gets less work. I suggest that you critically evaluate the services you choose to make available to the 'Net from a similar viewpoint.
Just my $0.02 (US) worth. ;>
The main benefit I see from DenyHosts is their synchronization service where my servers can proactively block hosts recognized by other users of their service.
Does anyone have experience with these tools and have recommendations?
Thanks, Neil
-- Neil Aggarwal, (281)846-8957, www.JAMMConsulting.com Will your e-commerce site go offline if you have a DB server failure, fiber cut, flood, fire, or other disaster? If so, ask me about our geographically redudant database system.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Ron:
From what I see, DenyHosts only blocks based on failed
SSH attempts
That is incorrect. Denyhosts has a config option named "BLOCK_SERVICE" which can be set to "ALL".
I think you misunderstood my point.
It looks like BLOCK_SERVICE tells what to block once the offender has been identified.
What I am talking about is the process of identifying the offender in the first place. It looks like only a failed SSH login attempt will cause someone to be blocked. If they try to attack another service (pop3s for example), DenyHosts will not block them.
Does this make sense? Or, am I wrong about it?
Thanks, Neil
-- Neil Aggarwal, (281)846-8957, www.JAMMConsulting.com Will your e-commerce site go offline if you have a DB server failure, fiber cut, flood, fire, or other disaster? If so, ask me about our geographically redudant database system.
On Thu, 2009-07-09 at 10:44 -0500, Neil Aggarwal wrote:
Ron:
From what I see, DenyHosts only blocks based on failed
SSH attempts
That is incorrect. Denyhosts has a config option named "BLOCK_SERVICE" which can be set to "ALL".
I think you misunderstood my point.
It looks like BLOCK_SERVICE tells what to block once the offender has been identified.
What I am talking about is the process of identifying the offender in the first place. It looks like only a failed SSH login attempt will cause someone to be blocked. If they try to attack another service (pop3s for example), DenyHosts will not block them.
Does this make sense? Or, am I wrong about it?
I stand corrected.
Thanks, Neil
-- Neil Aggarwal, (281)846-8957, www.JAMMConsulting.com Will your e-commerce site go offline if you have a DB server failure, fiber cut, flood, fire, or other disaster? If so, ask me about our geographically redudant database system.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Neil Aggarwal wrote:
It looks like BLOCK_SERVICE tells what to block once the offender has been identified.
What I am talking about is the process of identifying the offender in the first place. It looks like only a failed SSH login attempt will cause someone to be blocked. If they try to attack another service (pop3s for example), DenyHosts will not block them.
I've been using fail2ban for more than a year now. For now I only use it to monitor SSH. Fail2ban monitors log files (/var/log/secure for SSH) and if the authentication fails more than x times (3 for me) uses iptables to block (ban) that particular IP address during xxxx seconds (1h for me). Bans are logged identifying the IP address of the attacker.
Fail2ban also works (or almost) "out of the box" with proftpd / sasl / vsftpd among others.
It's possible to configure fail2ban to monitor other software/services such as dovecot.
Look at fail2ban homepage for more info. You may find a nice article at http://www.the-art-of-web.com/system/fail2ban
Manuel
If you are talking about restricting "hacking" attempts across multiple services (like ssh, smtp and http) then you are beginning to move into the realm of an IDS solution (like Snort)
Currently I use denyhosts plus iptables blacklist for ssh on the servers side (plus multiple layers of firewall devices in front of the servers)... I could go with either denyhosts OR iptables, but I believe multiple methods is prudent in case one method fails
This is what my (editted) iptables listing looks like for the blacklisting
Chain INPUT (policy DROP) target prot opt source destination SSH tcp -- anywhere anywhere state NEW tcp dpt:ssh
Chain BLACKLIST (3 references) target prot opt source destination all -- anywhere anywhere recent: SET name: BLACKLIST side: source DROP all -- anywhere anywhere
Chain SSH (1 references) target prot opt source destination DROP all -- anywhere anywhere recent: UPDATE seconds: 3600 hit_count: 1 name: BLACKLIST side: source all -- anywhere anywhere recent: SET name: COUNT1 side: source all -- anywhere anywhere recent: SET name: COUNT2 side: source all -- anywhere anywhere recent: SET name: COUNT3 side: source BLACKLIST all -- anywhere anywhere recent: UPDATE seconds: 60 hit_count: 5 name: COUNT1 side: source BLACKLIST all -- anywhere anywhere recent: UPDATE seconds: 300 hit_count: 10 name: COUNT2 side: source BLACKLIST all -- anywhere anywhere recent: UPDATE seconds: 1800 hit_count: 20 name: COUNT3 side: source ACCEPT all -- anywhere anywhere
So if someone connects via ssh more than 5 times in one minute, 10 times in 5 minutes or 20 times in 30 minutes, they are blacklisted for an hour...
"Neil Aggarwal" neil@JAMMConsulting.com Sent by: centos-bounces@centos.org 07/09/2009 09:57 AM Please respond to CentOS mailing list centos@centos.org
To "'CentOS mailing list'" centos@centos.org cc
Subject [CentOS] Looking for recommendations for blocking hacking attempts
Hello:
I have been looking into projects that will automatically restrict hacking attempts on my servers running CentOS 5.
I think the two top contenders are: DenyHosts - http://denyhosts.sourceforge.net Fail2ban - http://www.fail2ban.org
From what I see, DenyHosts only blocks based on failed
SSH attempts whereas Fail2ban blocks failed attempts for other access as well.
The main benefit I see from DenyHosts is their synchronization service where my servers can proactively block hosts recognized by other users of their service.
Does anyone have experience with these tools and have recommendations?
Thanks, Neil
-- Neil Aggarwal, (281)846-8957, www.JAMMConsulting.com Will your e-commerce site go offline if you have a DB server failure, fiber cut, flood, fire, or other disaster? If so, ask me about our geographically redudant database system.
_______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
</PRE><p><span style="font-size:9.5pt;line-height:115%;font-family: Arial">This transmission is intended solely for the person or organization to whom it is addressed and it may contain privileged and confidential information. If you are not the intended recipient you should not copy, distribute or take any action in reliance on it. If you believe you received this transmission in error, please notify the sender.</span></p>
-
Manuel Monteiro -
mark.hanna@rmgconnect.com -
Neil Aggarwal -
Ron Loftin