UGN Security
Posted By: busfault ssh/auth/apache security - 07/08/05 12:00 AM
I have a fair amount of Linux experience, however I am not sure what to do, or how to go about, working on this issue.
Currently I am allowing only a couple of ways to access my machine (300MHz Pentium with Debian Linux Unstable) of which are ftp, http, and ssh. I was looking through my logs and I am getting a bulk of traffic that is obvious script crap. For instance my auth.log is filled with invalid logins of numerous usernames, (alphabetic I may add) and in my Apache logs they are filled with obvious attempts to break Apache, well mostly Windows IIS.
So enough with the scenario, I would like to know how I can make it so that when there are numerous unwanted attempts that I can put their IPs into a blacklist that won't be allowed to connect to my machine at all. So that when that IP tries to connect it doesn't even get to the application. Then perhaps I would like to be able to let that address sit for a period of time before it is let back in, so that I don't block legitimate connections since person's IPs change.
Any help would be greatly appreciated.
Posted By: Gremelin Re: ssh/auth/apache security - 07/08/05 05:38 AM
Use a non-standard port for SSH, disable Telnet; for your apache you can make a .htaccess file and ban ip's directly (I prefer masks myself); an example would be:

Taken directly from UGN's .htaccess file:
Code
# Deny users IP's #
order allow,deny
#deny from 123.45.6.7 - Bans Direct IP
#deny from 012.34.5. - Bans IP block 012.34.5.*
#deny from .undergroundnews.com - bans host of *.undergroundnews.com
deny from .kestii.go.ro
allow from all
Posted By: diggin2deep Re: ssh/auth/apache security - 12/19/10 03:58 PM
The best way to do this is with the Fail2Ban program which comes with a number of filters to help you accomplish just this. Most distros have this in their repositories, just look around a little. You can also set in your sshd.conf that only certain keys can login or that they authenticate with a private key in addition to/instead of a password.
Posted By: Gremelin Re: ssh/auth/apache security - 12/23/10 01:03 PM
Most ISP's don't allow access to the firewall, but I guess that would be useful for personal machines.
© UGN Security Forum