bruteforce protection howto
Werner Schram
wrschram at gmail.com
Sat Mar 20 23:26:23 UTC 2010
On 20-3-2010 23:17, Vadkan Jozsef wrote:
> Two pc's:
>
> 1 - router
> 2 - logger
>
> Situation: someone tries to bruteforce into a server, and the logger
> get's a log about it [e.g.: ssh login failed].
>
> What's the best method to ban that ip [what is bruteforcig a server]
> what was logged on the logger?
> I need to ban the ip on the router pc.
>
> How can i send the bad ip to the router, to ban it?
>
> Just run a cronjob, and e.g.: scp the list of ip's from the logger to
> the router, then ban the ip from the list on the router pc?
>
> Or is there any "offical" method for this?
>
> I'm just asking for docs/howtos.. :\ to get started..
>
> Thank you!
>
>
>
I like denyhosts. Look at http://denyhosts.sourceforge.net/ for
documentation.
By default, it adds attackers to the /etc/hosts.deny list, but you can
use your own scripts to add/remove rules to your router. It can identify
attackers by analyzing your log files, but it can (optionally) also
exchange information about attackers with other denyhosts users. This
makes it pretty decent against distributed attacks. It also times out
hosts that haven't attacked you for a while to reduce the eventual
stress on your network stack.
More information about the ubuntu-users
mailing list