bruteforce protection howto

[Franz Waldmüller]

NoOp schrieb:
> On 03/20/2010 03:17 PM, Vadkan Jozsef wrote:
[snip]
>> Situation: someone tries to bruteforce into a server, and the logger
>> get's a log about it [e.g.: ssh login failed].
>>
>> What's the best method to ban that ip [what is bruteforcig a server]
>> what was logged on the logger?
>> I need to ban the ip on the router pc.
>>
>> How can i send the bad ip to the router, to ban it?
>>
[snip]
> https://help.ubuntu.com/community/InstallingSecurityTools
>  http://manpages.ubuntu.com/manpages/karmic/en/man8/denyhosts.8.html
>   http://denyhosts.sourceforge.net/
>    https://help.ubuntu.com/community/Fail2ban
> might be of use.
> 
> 

I agree with the other posters, I have fail2ban in use and it works very 
efficiently (But I don't now how and if it will work with your two 
machines setup).
I have disabled ssh root login and supplied ssh daemon with an explicit 
list of users who are allowed to login and from where they are allowed 
to login.
Take a look at the snippet from my /etc/ssh/sshd_config :

# Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes
AllowUsers franz micheal at localhost micheal at 192.168.1.4

user franz is allowed to login from everywhere, micheal just from 
localhost and from 192.168.1.4 . I think this should work with address 
ranges as well, but I haven't tried it yet.

This simple measure significantly reduced the ip addresses which have to 
be banned.  More on the ssh-config an the allow user option here:
http://www.freebsd.org/doc/en/books/handbook/openssh.html
Don't forget to restart the ssh-server after making changes to sshd_config

If you have to login from untrusted machines you could take a look at 
one time passwords: e.g. opie-server opie-client (I have not used this 
programs yet)

another packages which is aimed at hardening linux is bastille. But this 
it OT now.

keep the bad guys out!
Franz