[K12OSN] OT: Break-In report
Nils Breunese
nils at breun.nl
Wed Jan 2 15:54:14 UTC 2008
Rob Owens wrote:
> I've heard about the various packages that block connections based
> on x
> number of failed attempts. I'm going to look at them a little more
> seriously now.
I like fail2ban (http://fail2ban.sourceforge.net/), which creates
temporary iptables rules for hosts that make to many attempts to login
to a service. If you enable the RPMforge yum repository (a config file
ships with K12LTSP in /etc/yum.repos.d, but you need to enable it
explicitly by setting enable=1) you can do the following:
1. Install fail2ban: yum install fail2ban
2. Start fail2ban: service fail2ban start
3. Make sure it start on boot: chkconfig --level 345 fail2ban on
The defaults do a good job, but if you want notification or change the
block time, etc. have a look at /etc/fail2ban.conf. (Don't forget to
restart fail2ban after making changes: service fail2ban restart).
Fail2ban automatically monitors sshd, but can also be setup to monitor
other services.
Setting up public key authentication and disabling password
authentication for sshd completely is an even better idea if that is
feasible in your setup. I still like to run fail2ban in that case, if
only to keep the logs from filling with failed login attempts.
Nils Breunese.
More information about the K12OSN
mailing list