similar to: One approach to dealing with SSH brute force attacks.

We have several web applications deployed under Apache that require a user id / password authentication. Some of these use htdigest and others use the application itself. Recently we have experienced several brute force attacks against some of these services which have been dealt with for the nonce by changes to iptables. However, I am not convinced that these changes are the answer. Therefore

Over the weekend one of our servers at a remote location was hammered by an IP originating in mainland China. This attack was only noteworthy in that it attempted to connect to our pop3 service. We have long had an IP throttle on ssh connections to discourage this sort of thing. But I had not considered the possibility that other services were equally at risk. Researching this on the web does

Hi, to prevent scripted dictionary attacks to sshd I applied those iptables rules: -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --name SSH --rsource -j DROP -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -m recent --set --name SSH --rsource And this is part of logwatch: sshd: Authentication Failures: unknown

I am experimenting with a kvm virtual machine. At the moment I trying to configure iptables for the the host instance. In Xen terms I would call this Dom0 but I do not know the appropriate KVM term, if any. The setup I have is a single NIC (eth0) host bridged (bridge0). I want iptables to allow all host generated traffic (! bridge0 I think) and to check all other traffic for brute force

just wanted to get some feedback from the community. Over the last few days I have noticed my web server and email box have attempted to ssh'd to using weird names like admin,appuser,nobody,etc.... None of these are valid users. I know that I can block sshd all together with iptables but that will not work for us. I did a little research on google and found programs like sshguard and

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 I recently tried adding a firewall to my Samba 4 server using the port information I found on the wiki. Below is a dump of the resulting rules. root at dc01:~# iptables -S - -P INPUT DROP - -P FORWARD DROP - -P OUTPUT ACCEPT - -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m

Hi! I need to delay failed ssh password authentication as an additional measure against brute force ssh attacks. I understand, that shoud be accomplished through pam, but googling gave me no example. I have CentOS 5.2. -- Veiko Kukk

Good Day! I think we have a serious problem. One of our old server running FreeBSD 4.9 have been compromised and is now connected to an ircd server.. 195.204.1.132.6667 ESTABLISHED However, we still haven't brought the server down in an attempt to track the intruder down. Right now we are clueless as to what we need to do.. Most of our servers are running legacy operating systems(old

I'm looking for a way to deny access to dovecot from certain IP addresses, basically to help prevent brute force attacks on the server. Right now I'm using denyhosts which scans /var/log/secure for authentication failures which then can add an entry to /etc/hosts.deny, but since dovecot doesn't have tcp wrappers support, that doesn't do anything. It doesn't look like I can

My Centos 4.1 only accept connections from localhost, my file conf is default. error: ssh: connect to host 192.168.1.78 port 22: No route to host thanks

On Tue, February 3, 2015 14:01, Valeri Galtsev wrote: > > On Tue, February 3, 2015 12:39 pm, Les Mikesell wrote: >> On Tue, Feb 3, 2015 at 12:24 PM, Valeri Galtsev >> <galtsev at kicp.uchicago.edu> wrote: >>> >>> Sounds so I almost have to feel shame for securing my boxes no >>> matter what job vendor did ;-) >> >> Yes, computers and

On 25.04.24 17:15, openssh-unix-dev-request at mindrot.org digested: > Subject: how to block brute force attacks on reverse tunnels? > From: Steve Newcomb <srn at coolheads.com> > Date: 25.04.24, 17:14 > > For many years I've been running ssh reverse tunnels on portable Linux, > OpenWRT, Android etc. hosts so they can be accessed from a server whose > IP is stable

I am trying, without success, to compile a custom locale for the utf-8 character set. I have issued this command: localedef --no-archive -f UTF-8 -i /usr/share/i18n/locales/en_CA at yyyy-mmm-dd en_CA at yyyy-mmm-dd.utf8 which produces the requisite files without reporting an error but which none-the-less insists on using the iso-8859-1 charset: LC_ALL=en_CA at yyyy-mm-dd locale charmap

Hello list. I'm trying to find a way to block any ip that tries to login more than three times with the wrong password and try to log in three different extensions. For I have suffered some brute force attacks on my asterisk in the morning period. The idea would be: Any ip with three attempts without success to log into an extension is blocked. Is there any way to accomplish this directly

This mornings activity log shows this: . . . From 23.102.132.99 - 2 packets to tcp(3389) From 23.102.133.164 - 1 packet to tcp(3389) From 23.102.134.239 - 2 packets to tcp(3389) From 23.102.136.210 - 3 packets to tcp(3389) From 23.102.136.222 - 2 packets to tcp(3389) From 23.102.137.62 - 3 packets to tcp(3389) From 23.102.137.101 - 2 packets to tcp(3389) From

We deployed our first CentOS-4 based workstation this past spring to see if we can conveniently replace all, or at least most, of our MS-Win based user systems with Linux boxes instead. Generally this trial unit has proved a success but there is one lingering problem that I cannot seem to find a straight-forward answer to: Is there an administrator override to a user's password protected

I was wondering if anyone had implemented rules like this in shorewall: http://blog.andrew.net.au/tech I see tons of brute force attempts on the machines I administer, and I like the idea of limiting them without the need for extra daemons scanning for attacks. Thanks, Dale -- Dale E. Martin - dale@the-martins.org http://the-martins.org/~dmartin

Alright, I have setup the new rules and am waiting to see if I have any issues. If I do, I will keep working on it. I also read the article below, which mentions exactly what you I was told about 2008 and newer using different ports. https://support.microsoft.com/en-us/kb/929851 Here is the new configuration: root at dc01:~# iptables -S -P INPUT DROP -P FORWARD DROP -P OUTPUT ACCEPT -A INPUT -m

I just looked up 42 and 68. I do not use WINS or BOOTP. I am removing range 1024-5000 and replacing it with 49612-65535 now. I already allowed 389 TCP. Lead IT/IS Specialist Reach Technology FP, Inc On 12/29/2015 03:58 AM, L.P.H. van Belle wrote: > Hai, > > Im missing a few things. > > And maybe time server port to open? Are your dc's time server also? > These are the

I think it well to recall that the change which instigated this tempest was not to the network operations of a RHEL based system but to the 'INSTALLER' process, Anaconda. Now, I might be off base on this but really, ask yourself: Who exactly uses an installer program? And what is the threat model being addressed by requiring that the installer set a suitably strong password for root?