similar to: fail2ban and secure permissions

Hello, I'm running fail2ban on my centos machine. It's handling sshd and postfix, and is working quite well. From the reports I'm seeing all the atempts are from a certain registrar's region, I won't name it, and was wondering instead of blocking individual ip's if there was a way I could block with iptables the complete region of ip's. I realize this will cut off a

Hi, My both CentOS 5 servers have logging problems. Logs such as messages, boot.log, kernel, spooler, and tallylog in /var/log directory are all 0 size. The kernel is: Linux 2.6.18-92.1.22.el5 #1 SMP. Since the /var/log/messages contained no information it would be impossible to troubleshoot the problem. I am very sure both systems have not been hacked by others. Sincerely, Frank Ling

Guys, attached is copy of both the i) /etc/sysconfig/syslog ii) /etc/syslog.conf I have a Centos ver5.3 The syslog is not working and also I installed Webmin, also it does not work, this is what the error is " Info Internet Explorer cannot

Hello, I've got a Centos 5.4 box that is not rotating it's mail logs. I just found out about this, the file is considerably large. I've included my log rotation configs if anyone has any suggestions i'm open to them. Thanks. Dave. /etc/rsyslog.conf: # Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.*

Hello: I have been looking into projects that will automatically restrict hacking attempts on my servers running CentOS 5. I think the two top contenders are: DenyHosts - http://denyhosts.sourceforge.net Fail2ban - http://www.fail2ban.org >From what I see, DenyHosts only blocks based on failed SSH attempts whereas Fail2ban blocks failed attempts for other access as well. The main benefit

Hello, I'm using fail2ban to block bots in conjunction with existing iptables rules. Here's a few rules from my iptables configuration: # # Set up a temporary pass rule so we don't lock ourselves out when #doing remote ssh iptables -P INPUT ACCEPT # # flush the current rules iptables -F # # Allow SSH connections on tcp port 22 iptables -A INPUT -p tcp --dport 22 -j ACCEPT # # Set

hi all i'm trying to get ipfilter set up on my new 5.1-RELEASE box. ipfilter seems to be working fine. i just have a couple of issues that are probably not very serious... one thing is that during network startup at boot, i get the message IPFilter: already initialized repeated 4 times. i think i have everything configured properly my kernel config looks like options IPFILTER options

Hello! A machine I manage remotely for a friend comes under a distributed ssh break-in attack every once in a while. Annoyed (and alarmed) by the messages like: Aug 12 10:21:17 symbion sshd[4333]: Invalid user mythtv from 85.234.158.180 Aug 12 10:21:18 symbion sshd[4335]: Invalid user mythtv from 85.234.158.180 Aug 12 10:21:20 symbion sshd[4337]: Invalid user mythtv from 85.234.158.180 Aug 12

Hello! A machine I manage remotely for a friend comes under a distributed ssh break-in attack every once in a while. Annoyed (and alarmed) by the messages like: Aug 12 10:21:17 symbion sshd[4333]: Invalid user mythtv from 85.234.158.180 Aug 12 10:21:18 symbion sshd[4335]: Invalid user mythtv from 85.234.158.180 Aug 12 10:21:20 symbion sshd[4337]: Invalid user mythtv from 85.234.158.180 Aug 12

Anyone having problems with logrotate and CentOS 5.4? Although I have /etc/logrotate.d/mail (contents below) to rotate my maillog file, it fails to do it automatically: /var/log/maillog { compress dateext maxage 365 rotate 60 size=+1024k missingok postrotate /etc/init.d/MailScanner restart endscript } ++++++++++++++++++++++++++++ logrotate.conf:

Hello everyone. I was able to get an AIX box configured with winbind, and it looks like everything is working as expected but ssh to the machine and I hope you can help me with this. On the AIX server I'm able to issue wbinfo -u and -g with the right information and also I'm able to do a "su - <AD user>" without any problem. But when doing a remote SSH I just get

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've used denyhosts. If you do have an issue with fail2ban, it does pretty much the same thing. Andy - -------- Original Message -------- Subject: Re: [CentOS] fail2ban needs shorewall? Date: Wed, 23 Jul 2008 17:08:07 +0200 From: Kai Schaetzl <maillists at conactive.com> Reply-To: CentOS mailing list <centos at centos.org> To:

Situation: We are providing hosting services. I've grown tired of the various kiddie scripts/dictionary attacks on various services. The latest has been against vsftpd, on systems that I can't easily control vs. putting strict limits on ssh. We simply have too many users entering from too many networks many with dynamic IP addresses. Enter.... thinking about LIDS or Log Based

I'm looking for a way to deny access to dovecot from certain IP addresses, basically to help prevent brute force attacks on the server. Right now I'm using denyhosts which scans /var/log/secure for authentication failures which then can add an entry to /etc/hosts.deny, but since dovecot doesn't have tcp wrappers support, that doesn't do anything. It doesn't look like I can

Hi, I just set up a web server... and my bandwidth is being eaten by some chinese folks trying to brute-force-ssh their way into the machine. Is there a simple way to banish either single IP addresses or, maybe even better, whole IP classes ? I know it's feasible with iptables, but is there something more easily configurable ? Cheers, Niki

Hi, i have one centos 4.3 box, exposed to the internet. since several weeks ago, i found numerous attemps to connect through SSH, but failed. they tried with many username, including root. it's comes from different IP. some of them are foreign website. How do i make my centos become smarter in handling this kind of attacks. eventhough i've disable all the user accounts, left only the

Hi all, ?Is there any app like denyhosts[1] but intended for MySQLd service? We have a mysql ports (3306) opened for remote connections, and obviously the /var/db/mysql/machine_name.log is full of these kind of entries: ........... 936012 Connect Access denied for user 'user'@'85.19.95.10' (using password: YES) 936013 Connect Access denied for user

Hello, Some time ago I wrote PR conf/48170, which discussed the following problem: Syslog messages of facility LOG_AUTHPRIV and priority LOG_NOTICE (or higher) are sent by default to the world-readable log file /var/log/messages. That seems unacceptable since the facility LOG_AUTHPRIV is for hiding sensitive log messages inside a protected file, e.g., /var/log/auth.log. For example, login(1)

Hi! I'm running 1.1rc4 on a system and this happens occasionally: --8<-- mail.info; dovecot: auth(default): client in: AUTH 1 PLAIN service=imap lip=NN.NN.NN.NN rip=NNN.NN.NNN.NN lport=143 mail.info; dovecot: auth-worker(default): pam(XXXXXXXXXXXX,NNN.NN.NNN.NN): lookup service=imap kern.alert; kernel: grsec: From NN.NN.NN.NN: denied resource overstep by requesting

Hi, to prevent scripted dictionary attacks to sshd I applied those iptables rules: -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --name SSH --rsource -j DROP -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -m recent --set --name SSH --rsource And this is part of logwatch: sshd: Authentication Failures: unknown