Koozali.org: home of the SME Server
Legacy Forums => Suggestions => Topic started by: hecoms on July 17, 2006, 12:24:04 AM
-
A SME server (6.01) of my is now hammered by folks from Denmark for weeks now (24/7). It overloads the logfiles and I get an out of memory during the logrotate.
There is a project (perlscript) at bruteforceblocker http://danger.rulez.sk/projects/bruteforceblocker/
This is for freebsd. Is this adaptable for SMEserver? This will help a lot!
Regards Jaap
-
I never got auto-blocking working, but I used http://no.longer.valid/phpwiki/index.php/Changing%20the%20default%20ssh%20port to change my default port and haven't had an attack for months.
I know this is only a make-shift solution, but if it keeps your server running long enough to get the auto-blocking solution up and running, great!
-
hecoms
Much better from a security perspective is to disable ssh password access. Then configure your server & your client PC with public/private keys.
No one except you will be able to access your server then & no more logging of failed attempts as password access is disabled.
Ian Wells wrote a good howto for this, and it is fairly easy to implement.
-
Hi hecoms,
nice little program that reads log files and writes the iptables as it goes.
It is called Daemon Shield. I have used it on a CentOS 4.3 server
and it worked as advertised. Link below:
http://sourceforge.net/projects/daemonshield/
I do not know if it is fully compatible with SME7, yet!
Try it at your own risk. I may be able to do some testing on an SME7 box
later this month.
Good luck
Joe
-
boss_hog----
Does that mean you may be contributing a daemonshield rpm?
----best wishes, Robert
-
Hi Robert,
Does that mean you may be contributing a daemonshield rpm?
Well.... I have never built an RPM, but I would love to.
Building an RPM would help me to give something back to the SME.
So an answer? Maybe.
At the very least, I will put Daemon Shield on an SME7 box and
see if I can get it to work properly. Once successful, I would post
a How To.
If all goes well, maybe I can post back next month.
Joe
-
Ooops,
after going back to Daemon Shield at freshmeat.net.
The program is claimed to be compatible with CentOS and RHEL.
By next week sometime, I should get a SME7 test box up
and running.
I will install(attempt to install) on a fresh SME7.
See where it goes from there!
Joe
-
boss_hog
> ...nice little program that reads log files and writes the iptables as it goes
Why even bother implementing this ? You are only chasing your own tail as hackers keep changing IP's.
Secure your server & ssh connection properly with public/private keys as per the howto mentioned.
-
Hey Ray,
I won't waste the time trying to explain the idea of Daemon Shield in detail.
Anyone who may be interested can just go to freshmeat and delve into the spirit of things.
But as a crude synopsis:
It monitors the logs for FAILED login attempts over a set time frame.
Say you set it at 5 FAILED attempts per 1 minute, and it will lock the IP
of the "attacker" for a determined time, say 30 minutes.
It slows down the 200+ list of attempts in your logs and will slow
the bots down a little.
Joe
-
boss_hog
No explanation needed. I understand what these type of programs do, I think it's Guardian (part of Snort Acid Guardian) that has already been implemented for sme.
I was just making a point about the concept, no matter how much you monitor & temporarily block access attempts, the hackers & robots will keep on trying, so why bother with these type of blocking scripts at all.
Secure your server properly.
You can totally STOP all ssh password based access atempts by disabling ssh password access, and enabling public/private keys, and you will have a significantly more secure server in the process, and no numerous ssh log attempts showing in the log files ever again.
See this howto
http://no.longer.valid/phpwiki/index.php/SSH%20Public-Private%20Keys
-
It depends on the situation, if you will have only specific computers connecting to the server, than public/private keys works great. But if you have a lot of traveling sales people who sometimes connect to the server from their home computer, sometimes from laptop on the road and sometimes from hotel computer, passwords is the only way you can accomplish this.
So there is no one solution, it depends on the situation.
-
calisun
> sometimes connect to the server from their home computer
> ...from laptop on the road...from hotel computer,
> passwords is the only way you can accomplish this.
They could have the key file (& Putty too) on a USB stick they carry with them and then be able to use any computer anywhere.
-
Ray,
Checking into your suggestion with p/p keys. Wondering if the how-to by Ian Wells is still applicable in 7.1.2 and if it is should we move it to the new wiki along with "changing the default ssh port"?
Regards,
Paul
-
pmstewart
ssh p/p key access still works OK on sme 7.1.2 without modification after yum upgrades from sme 7.0, so I assume the howto is still applicable.
-
Thx Ray.....
-
Using iptables, you can ban for like 5 minutes an IP that has failed X times.
It goes something like this :
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 300 --hitcount 10 -j DROP
That example bans for 300 seconds after 10 unsuccessful tries.
-
Of course you'll need to replace 22 and eth0 with the port sshd is listening on and the name of your network iface.
-
I'm not sure, but I think that SME does not contain the neccesary module ipt_recent.