[K12OSN] reporting and/or stopping cracking attempts on server
Terrell Prude' Jr.
microman at cmosnetworks.com
Fri Mar 18 05:13:36 UTC 2011
Moving SSH to a nonstandard port has been suggested. I disagree with
that, because, as an INFOSEC engineer, I've learned over the years that
security through obscurity is no security at all. I'm in a similar
situation with a Debian box that I run at work, also accessible from the
Internet.
What I do is packet-filter the daylights out of it and use fail2ban
(looks like you are, too--very good). I like the concept of DenyHosts a
lot, and I believe that fail2ban is the improved version of that
concept, since it uses iptables, thus preventing the "bad" packets from
ever getting to any daemon in the first place. Reduce your total login
attempts to 3, and block that offending IP address for a month.
Now, that said....
Personally, I wouldn't be running all that stuff on the same box to
begin with. Yes, SELinux is helpful, and it should be used. However, I
guess I'm still of the old school that says "one bastion host for HTTP,
one bastion host for email, one bastion host for <insert whatever
else>", etc. It's just so much easier to design and keep security rules
(ACL's and such) with those functions on separate servers.
Virtualization can help out here if you don't want to run more than one
physical box. Fortunately, CentOS 5 has Xen and KVM, both of which
actually work pretty well.
--TP
Carl Keil wrote:
> Hello folks,
>
> For those of you that run servers exposed to the outside world, I just
> wanted to send a ping out and see what others are doing about this.
> I'm seeing an escalation in what I call "brute force" attacks on my
> server. Like people trying to SSH in repeatedly from one IP with
> common sounding user names. Or lots of http requests (I've got web on
> the same server) for ....setup.php or setup.pl etc. Repeated Auth
> requests to sendmail.
>
> I've started running fail2ban, which, I feel does a great job of
> cutting this down. Is there anything better that's about equally as
> easy to setup? Is there any point in making the effort to look up the
> IP's and contact the ISP's about this? Or does that just piss off the
> script kiddies and make you more of a target. I don't want to have to
> become a full on security expert, but I want to make sure I'm doing
> all the easy no-brainer stuff that can protect you 99% of the time. I
> hope that attitude doesn't offend anyone. I'm not working for a
> school. I got into ltsp for home use and just run it for convenience
> and pleasure. Dealing with idiots who are trying to break in cuts
> down on both.
>
> Thanks,
>
> ck
>
> _______________________________________________
> K12OSN mailing list
> K12OSN at redhat.com
> https://www.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>
More information about the K12OSN
mailing list