[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] OT: Break-In report

Rob Owens wrote:

I've heard about the various packages that block connections based on x
number of failed attempts.  I'm going to look at them a little more
seriously now.

I like fail2ban (http://fail2ban.sourceforge.net/), which creates temporary iptables rules for hosts that make to many attempts to login to a service. If you enable the RPMforge yum repository (a config file ships with K12LTSP in /etc/yum.repos.d, but you need to enable it explicitly by setting enable=1) you can do the following:

1. Install fail2ban: yum install fail2ban
2. Start fail2ban: service fail2ban start
3. Make sure it start on boot: chkconfig --level 345 fail2ban on

The defaults do a good job, but if you want notification or change the block time, etc. have a look at /etc/fail2ban.conf. (Don't forget to restart fail2ban after making changes: service fail2ban restart). Fail2ban automatically monitors sshd, but can also be setup to monitor other services.

Setting up public key authentication and disabling password authentication for sshd completely is an even better idea if that is feasible in your setup. I still like to run fail2ban in that case, if only to keep the logs from filling with failed login attempts.

Nils Breunese.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]