| 1 |
For the task of banning people trying to force their way into my server |
| 2 |
I use the following combination: |
| 3 |
|
| 4 |
portsentry + logwatch (and a bit of iptables to restrict access to |
| 5 |
certain servers to certain clients). |
| 6 |
|
| 7 |
portsentry will monitor certain ports and check for known attacks (the |
| 8 |
SSH attack and port scan is among those) and given some rules it will |
| 9 |
put the IP/hostname into the /etc/hosts.deny file and thus make sure |
| 10 |
that they wont be able to gain access to the machine (with some other |
| 11 |
techniques they wont even be able to SEE the machine!). |
| 12 |
|
| 13 |
logwatch mails me a summary of the most important logs every day (I've |
| 14 |
set my system to do it around midnight - just after my logsystem changes |
| 15 |
logfile). So I know how much diskspace is left, how much bandwidth I've |
| 16 |
used for the day, how many SSH login attempts there were (succesful, |
| 17 |
unsuccesful and which accounts were tried), etc. |
| 18 |
|
| 19 |
Angel ~ # emerge -s portsentry |
| 20 |
Searching... |
| 21 |
[ Results for search key : portsentry ] |
| 22 |
[ Applications found : 1 ] |
| 23 |
|
| 24 |
* net-analyzer/portsentry |
| 25 |
Latest version available: 1.2 |
| 26 |
Latest version installed: [ Not Installed ] |
| 27 |
Size of downloaded files: 46 kB |
| 28 |
Homepage: http://sourceforge.net/projects/sentrytools/ |
| 29 |
Description: Automated port scan detector and response tool |
| 30 |
License: GPL-2 |
| 31 |
|
| 32 |
|
| 33 |
Angel ~ # emerge -s logwatch |
| 34 |
Searching... |
| 35 |
[ Results for search key : logwatch ] |
| 36 |
[ Applications found : 3 ] |
| 37 |
|
| 38 |
... |
| 39 |
* sys-apps/logwatch |
| 40 |
Latest version available: 6.0.2 |
| 41 |
Latest version installed: 6.0.2 |
| 42 |
Size of downloaded files: 149 kB |
| 43 |
Homepage: http://www.logwatch.org/ |
| 44 |
Description: Analyzes and Reports on system logs |
| 45 |
License: MIT |
| 46 |
... |
| 47 |
|
| 48 |
|
| 49 |
This is nice and stable - if you configure your portsentry a bit |
| 50 |
(remember to add your own IP as an exception - otherwise you MIGHT just |
| 51 |
lock yourself out of the box if you do some security auditing ;-) ). |
| 52 |
|
| 53 |
Just my .02 on this subject. I've been using this for a while - and it |
| 54 |
definently does what it's supposed to do! |
| 55 |
|
| 56 |
/Jakob Rosenlund |
| 57 |
|
| 58 |
woody wrote: |
| 59 |
|
| 60 |
> Jochen Maes wrote: |
| 61 |
> |
| 62 |
>> -----BEGIN PGP SIGNED MESSAGE----- |
| 63 |
>> Hash: SHA1 |
| 64 |
>> |
| 65 |
>> Hey all, |
| 66 |
>> |
| 67 |
>> |
| 68 |
>> ok one off my servers i keep on getting one iprange that tries to |
| 69 |
>> login through ssh (200-300) attemps with other usernames. |
| 70 |
>> This is probably a script that's being ran all the time, but the isp |
| 71 |
>> doesn't mind, i allready sent my logs and my complaints and i don't |
| 72 |
>> get any response. |
| 73 |
>> Is there something like hackerwatch that i can send those logs to |
| 74 |
>> (preferrably automatically) when happening? |
| 75 |
>> I've blocked the range now so isn't a problem but hate it that the isp |
| 76 |
>> doesn nothing against it. |
| 77 |
> |
| 78 |
> |
| 79 |
> have a look to fail2ban.. |
| 80 |
> |
| 81 |
> diabolo prod # emerge -s fail2ban |
| 82 |
> Searching... |
| 83 |
> [ Results for search key : fail2ban ] |
| 84 |
> [ Applications found : 1 ] |
| 85 |
> |
| 86 |
> * net-firewall/fail2ban |
| 87 |
> Latest version available: 0.5.4 |
| 88 |
> Latest version installed: 0.5.4 |
| 89 |
> Size of downloaded files: 18 kB |
| 90 |
> Homepage: http://sourceforge.net/projects/fail2ban |
| 91 |
> Description: Bans IP that make too many password failures |
| 92 |
> License: GPL-2 |
| 93 |
> |
| 94 |
>> |
| 95 |
>> greetings, |
| 96 |
>> |
| 97 |
>> SeJo |
| 98 |
>> |
| 99 |
>> - -- |
| 100 |
>> "Defer no time, delays have dangerous ends" |
| 101 |
>> |
| 102 |
>> Jochen Maes Gentoo Linux |
| 103 |
>> Gentoo Belgium |
| 104 |
>> http://sejo.be |
| 105 |
>> http://gentoo.be |
| 106 |
>> http://gentoo.org |
| 107 |
>> -----BEGIN PGP SIGNATURE----- |
| 108 |
>> Version: GnuPG v1.4.2 (GNU/Linux) |
| 109 |
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org |
| 110 |
>> |
| 111 |
>> iD8DBQFDSjnYMXMsRNMHhmARAoXVAJ92bRcBAO04hIUk2VgBOcpm1gm9cgCgmNHe |
| 112 |
>> ZPNqAHab5fXLdx11vdod5rc= |
| 113 |
>> =35Kg |
| 114 |
>> -----END PGP SIGNATURE----- |
| 115 |
>> |
| 116 |
> |
| 117 |
-- |
| 118 |
gentoo-security@g.o mailing list |
Archives