[CentOS] Looking for recommendations for blocking hacking attempts

Thu Jul 9 17:18:37 UTC 2009
mark.hanna at rmgconnect.com <mark.hanna at rmgconnect.com>

If you are talking about restricting "hacking" attempts across multiple 
services (like ssh, smtp and http) then you are beginning to move into the 
realm of an IDS solution (like Snort)

Currently I use denyhosts plus iptables blacklist for ssh on the servers 
side (plus multiple layers of firewall devices in front of the servers)... 
I could go with either denyhosts OR iptables, but I believe multiple 
methods is prudent in case one method fails

This is what my (editted) iptables listing looks like for the blacklisting

Chain INPUT (policy DROP)
target     prot opt source               destination
SSH        tcp  --  anywhere             anywhere            state NEW tcp 
dpt:ssh

Chain BLACKLIST (3 references)
target     prot opt source               destination
           all  --  anywhere             anywhere            recent: SET 
name: BLACKLIST side: source
DROP       all  --  anywhere             anywhere

Chain SSH (1 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere            recent: 
UPDATE seconds: 3600 hit_count: 1 name: BLACKLIST side: source
           all  --  anywhere             anywhere            recent: SET 
name: COUNT1 side: source
           all  --  anywhere             anywhere            recent: SET 
name: COUNT2 side: source
           all  --  anywhere             anywhere            recent: SET 
name: COUNT3 side: source
BLACKLIST  all  --  anywhere             anywhere            recent: 
UPDATE seconds: 60 hit_count: 5 name: COUNT1 side: source
BLACKLIST  all  --  anywhere             anywhere            recent: 
UPDATE seconds: 300 hit_count: 10 name: COUNT2 side: source
BLACKLIST  all  --  anywhere             anywhere            recent: 
UPDATE seconds: 1800 hit_count: 20 name: COUNT3 side: source
ACCEPT     all  --  anywhere             anywhere

So if someone connects via ssh more than 5 times in one minute, 10 times 
in 5 minutes or 20 times in 30 minutes, they are blacklisted for an 
hour... 






"Neil Aggarwal" <neil at JAMMConsulting.com> 
Sent by: centos-bounces at centos.org
07/09/2009 09:57 AM
Please respond to
CentOS mailing list <centos at centos.org>


To
"'CentOS mailing list'" <centos at centos.org>
cc

Subject
[CentOS] Looking for recommendations for blocking hacking attempts






Hello:

I have been looking into projects that will automatically
restrict hacking attempts on my servers running CentOS 5.

I think the two top contenders are:
                 DenyHosts - http://denyhosts.sourceforge.net
                 Fail2ban - http://www.fail2ban.org

>From what I see, DenyHosts only blocks based on failed
SSH attempts whereas Fail2ban blocks failed attempts
for other access as well.

The main benefit I see from DenyHosts is their synchronization
service where my servers can proactively block hosts recognized
by other users of their service.

Does anyone have experience with these tools and have
recommendations?

Thanks,
                 Neil

--
Neil Aggarwal, (281)846-8957, www.JAMMConsulting.com
Will your e-commerce site go offline if you have
a DB server failure, fiber cut, flood, fire, or other disaster?
If so, ask me about our geographically redudant database system.

_______________________________________________
CentOS mailing list
CentOS at centos.org
http://lists.centos.org/mailman/listinfo/centos


</PRE><p><span style="font-size:9.5pt;line-height:115%;font-family: Arial">This transmission is intended solely for the person or organization to whom it is addressed and it may contain privileged and confidential information.  If you are not the intended recipient you should not copy, distribute or take any action in reliance on it. If you believe you received this transmission in error, please notify the sender.</span></p>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos/attachments/20090709/44a2baa4/attachment-0005.html>