1 |
For the task of banning people trying to force their way into my server |
2 |
I use the following combination: |
3 |
|
4 |
portsentry + logwatch (and a bit of iptables to restrict access to |
5 |
certain servers to certain clients). |
6 |
|
7 |
portsentry will monitor certain ports and check for known attacks (the |
8 |
SSH attack and port scan is among those) and given some rules it will |
9 |
put the IP/hostname into the /etc/hosts.deny file and thus make sure |
10 |
that they wont be able to gain access to the machine (with some other |
11 |
techniques they wont even be able to SEE the machine!). |
12 |
|
13 |
logwatch mails me a summary of the most important logs every day (I've |
14 |
set my system to do it around midnight - just after my logsystem changes |
15 |
logfile). So I know how much diskspace is left, how much bandwidth I've |
16 |
used for the day, how many SSH login attempts there were (succesful, |
17 |
unsuccesful and which accounts were tried), etc. |
18 |
|
19 |
Angel ~ # emerge -s portsentry |
20 |
Searching... |
21 |
[ Results for search key : portsentry ] |
22 |
[ Applications found : 1 ] |
23 |
|
24 |
* net-analyzer/portsentry |
25 |
Latest version available: 1.2 |
26 |
Latest version installed: [ Not Installed ] |
27 |
Size of downloaded files: 46 kB |
28 |
Homepage: http://sourceforge.net/projects/sentrytools/ |
29 |
Description: Automated port scan detector and response tool |
30 |
License: GPL-2 |
31 |
|
32 |
|
33 |
Angel ~ # emerge -s logwatch |
34 |
Searching... |
35 |
[ Results for search key : logwatch ] |
36 |
[ Applications found : 3 ] |
37 |
|
38 |
... |
39 |
* sys-apps/logwatch |
40 |
Latest version available: 6.0.2 |
41 |
Latest version installed: 6.0.2 |
42 |
Size of downloaded files: 149 kB |
43 |
Homepage: http://www.logwatch.org/ |
44 |
Description: Analyzes and Reports on system logs |
45 |
License: MIT |
46 |
... |
47 |
|
48 |
|
49 |
This is nice and stable - if you configure your portsentry a bit |
50 |
(remember to add your own IP as an exception - otherwise you MIGHT just |
51 |
lock yourself out of the box if you do some security auditing ;-) ). |
52 |
|
53 |
Just my .02 on this subject. I've been using this for a while - and it |
54 |
definently does what it's supposed to do! |
55 |
|
56 |
/Jakob Rosenlund |
57 |
|
58 |
woody wrote: |
59 |
|
60 |
> Jochen Maes wrote: |
61 |
> |
62 |
>> -----BEGIN PGP SIGNED MESSAGE----- |
63 |
>> Hash: SHA1 |
64 |
>> |
65 |
>> Hey all, |
66 |
>> |
67 |
>> |
68 |
>> ok one off my servers i keep on getting one iprange that tries to |
69 |
>> login through ssh (200-300) attemps with other usernames. |
70 |
>> This is probably a script that's being ran all the time, but the isp |
71 |
>> doesn't mind, i allready sent my logs and my complaints and i don't |
72 |
>> get any response. |
73 |
>> Is there something like hackerwatch that i can send those logs to |
74 |
>> (preferrably automatically) when happening? |
75 |
>> I've blocked the range now so isn't a problem but hate it that the isp |
76 |
>> doesn nothing against it. |
77 |
> |
78 |
> |
79 |
> have a look to fail2ban.. |
80 |
> |
81 |
> diabolo prod # emerge -s fail2ban |
82 |
> Searching... |
83 |
> [ Results for search key : fail2ban ] |
84 |
> [ Applications found : 1 ] |
85 |
> |
86 |
> * net-firewall/fail2ban |
87 |
> Latest version available: 0.5.4 |
88 |
> Latest version installed: 0.5.4 |
89 |
> Size of downloaded files: 18 kB |
90 |
> Homepage: http://sourceforge.net/projects/fail2ban |
91 |
> Description: Bans IP that make too many password failures |
92 |
> License: GPL-2 |
93 |
> |
94 |
>> |
95 |
>> greetings, |
96 |
>> |
97 |
>> SeJo |
98 |
>> |
99 |
>> - -- |
100 |
>> "Defer no time, delays have dangerous ends" |
101 |
>> |
102 |
>> Jochen Maes Gentoo Linux |
103 |
>> Gentoo Belgium |
104 |
>> http://sejo.be |
105 |
>> http://gentoo.be |
106 |
>> http://gentoo.org |
107 |
>> -----BEGIN PGP SIGNATURE----- |
108 |
>> Version: GnuPG v1.4.2 (GNU/Linux) |
109 |
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org |
110 |
>> |
111 |
>> iD8DBQFDSjnYMXMsRNMHhmARAoXVAJ92bRcBAO04hIUk2VgBOcpm1gm9cgCgmNHe |
112 |
>> ZPNqAHab5fXLdx11vdod5rc= |
113 |
>> =35Kg |
114 |
>> -----END PGP SIGNATURE----- |
115 |
>> |
116 |
> |
117 |
-- |
118 |
gentoo-security@g.o mailing list |