Secure your Linux box using autoban |
| Written by Michael D. | |
|
Here are some tips to make your Linux server safer from intruders.
I have recently viewed by log files in linux and noticed a few hundreads failed logins from different hosts on my sshd service. I wanted to secure it using iptables, but this reduced my mobility quite a lot. By denying packets from all hosts and accepting just from a few trusted ones, I ended up not being able to access my server from everywhere i want. So I started searching on the Internet for an alternative; and I found something called Deny Hosts, an open source project from Sourceforge. This python script is very useful, bringing many options that are an advantage in the fight against hackers. It's features include allowed and denied host list files that dynamically update by analyzing the attempts in service's log files, e-mailing functions to notify you if something happens and a synchronization tool that gets all the hosts that were banned several times around the world and denies them on your server too. Downloading the scriptTo download the script, go to http://denyhosts.sourceforge.net/ or if you are using Fedore Core, try "yum install denyhosts". Configuring the scriptAfter installing it, you need to edit it's configuration file. This is tipically found in /usr/share/doc/denyhosts-xx, where xx is your current version. Open the file denyhosts.cfg-dist located here with an editor and edit all fields you may need. Here are the most important ones: #The path to your authentication log file SECURE_LOG = /var/log/secure #The path to the hosts denied to access the services HOSTS_DENY = /etc/hosts.deny #The time that a host is kept as denied if no other attack happens (eg. 1w = one week) PURGE_DENY = 1d #The desired services to be blocked for the denied hosts - you can set the service(s) name, ALL or blank for none BLOCK_SERVICE = sshd #Lookup the hostname of the denied IP HOSTNAME_LOOKUP=YES #Admin e-mail for sending triggered updates ADMIN_EMAIL = root, This e-mail address is being protected from spam bots, you need JavaScript enabled to view it #SMTP settings SMTP_HOST = localhost SMTP_PORT = 25 #Optional, just if you run send the mail using an external e-mail SMTP SMTP_USERNAME= SMTP_PASSWORD= #Daemon Log file DAEMON_LOG = /var/log/denyhosts #Daemon cycle time - period between new denied hosts check DAEMON_SLEEP = 1800s After checking all variables, save the file as a new one, called denyhosts.cfg. Running itNow you can start your python script in three ways: - One-time run - denyhosts.py --file /var/log/secure - Daemon run - denyhosts.py --daemon - Run it using cron to do the task periodically Be sure that your run the script from the directory that contains the configuration file. Now the Deny Hosts is up and running and will ban the intruders for you. If running in daemon mode, check the /etc/hosts.deny and /var/log/denyhosts from time to time to see if it's all ok. This is an example of hosts.deny output: # DenyHosts: Thu Jun 21 05:25:31 2007 | vsftpd: 203.234.83.85 vsftpd: 203.234.83.85 # DenyHosts: Thu Jun 21 05:25:31 2007 | vsftpd: 200.91.244.86 vsftpd: 200.91.244.86 # DenyHosts: Thu Jun 21 05:25:31 2007 | vsftpd: 222.122.138.42 vsftpd: 222.122.138.42 # DenyHosts: Thu Jun 21 06:19:21 2007 | sshd: 192.168.0.100 sshd: 192.168.0.100
written by gelgin , March 11, 2009
too bad it couldn't be taught to do a similar service for smtp (like files). i realize it's a much greater effort since postfix logs (my preference) don't look much like sendmail logs,, Do you need more help? Ask now!
|
|
| Last Updated ( Saturday, 23 June 2007 ) |
