Hi, I just set up a web server... and my bandwidth is being eaten by some chinese folks trying to brute-force-ssh their way into the machine. Is there a simple way to banish either single IP addresses or, maybe even better, whole IP classes ? I know it's feasible with iptables, but is there something more easily configurable ? Cheers, Niki
Niki Kovacs wrote:> Hi, > > I just set up a web server... and my bandwidth is being eaten by some > chinese folks trying to brute-force-ssh their way into the machine. > > Is there a simple way to banish either single IP addresses or, maybe > even better, whole IP classes ? I know it's feasible with iptables, but > is there something more easily configurable ? > > Cheers, >Try fail2ban from rpmforge. -- tkb
On Fri, 2009-10-09 at 20:35 +0200, Niki Kovacs wrote:> Hi, > > I just set up a web server... and my bandwidth is being eaten by some > chinese folks trying to brute-force-ssh their way into the machine. > > Is there a simple way to banish either single IP addresses or, maybe > even better, whole IP classes ? I know it's feasible with iptables, but > is there something more easily configurable ?---- Suggest you move ssh to another port (i.e. high numbered) but whether you do or do not move the port sshd listens on, you should install a package like denyhosts which after a specified number of attempts, locks them out completely. Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
On Fri, 09 Oct 2009 20:35:25 +0200 Niki Kovacs wrote:> Hi, > > I just set up a web server... and my bandwidth is being eaten by some > chinese folks trying to brute-force-ssh their way into the machine. > > Is there a simple way to banish either single IP addresses or, maybe > even better, whole IP classes ? I know it's feasible with iptables, but > is there something more easily configurable ?man hosts.allow man hosts.deny -- MELVILLE THEATRE ~ Melville Sask ~ http://www.melvilletheatre.com
On Fri, Oct 09, 2009 at 08:35:25PM +0200, Niki Kovacs wrote:> > I just set up a web server... and my bandwidth is being eaten by some > chinese folks trying to brute-force-ssh their way into the machine. > > Is there a simple way to banish either single IP addresses or, maybe > even better, whole IP classes ? I know it's feasible with iptables, but > is there something more easily configurable ?I also use denyhosts. The memory footprint is not quite so bad for one host; mine is currently using 13m of resident memory, and a total of 92m of shared memory (from top). But I do see running hundreds of denyhosts processes could be a memory issue; perhaps it could be hacked to run on the main host and propagate its entries to the virtual hosts. Anyway, the main issue with denyhosts, and even iptables, is that the traffic still comes over your line. If you have a slow link, the attacks are still going to eat your bandwidth, which can be frustrating. Apart from getting your ISP to block them at the other end, I don't know a good solution to this problem. (It is alleviated somewhat if the attackers realize they've been blocked and move on, so an iptables solution might be a bit better.) --keith -- kkeller at speakeasy.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: <http://lists.centos.org/pipermail/centos/attachments/20091009/87aff832/attachment-0002.sig>
On Fri, Oct 9, 2009 at 7:35 PM, Niki Kovacs <contact at kikinovak.net> wrote:> Hi, > > I just set up a web server... and my bandwidth is being eaten by some > chinese folks trying to brute-force-ssh their way into the machine. > > Is there a simple way to banish either single IP addresses or, maybe > even better, whole IP classes ? I know it's feasible with iptables, but > is there something more easily configurable ? > > Cheers, > > Niki > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >The best way is iptables. If you know you dont/wont have any relations within China/Taiwan/etc you could ban whole subnets. It would help to use ipset in conjunction with iptables, just for optimisation's sake :)