seanmusic
Newbie
 Offline
Posts: 2
|
 |
« on: December 07, 2007, 07:20:01 AM » |
|
I run plesk and their firewall on my vps. I also set up so that I get the brute force attack warnings but apparently this line of code
Executed ban command:
/etc/apf/apf -d 72.22.64.164 {bfd.sshd}
is not working since I have multiple attacks from the same IP. Lunar pages told me to install apf but in the apf install is says to not run both apf and plesk firewall.
If I am using the plesk firewall what is the best way to guard against brute force or should I just manually remove the ip address when they come in?
|
|
|
|
|
Logged
|
|
|
|
|
perestrelka
|
|
« Reply #1 on: December 07, 2007, 09:57:52 PM » |
|
Hello Seanmusic, Manually denying IPs brute forcing your SSH would be a pain due to multiple occurrences of brute force attempts at nowadays. You would install something like Fail2Ban ( http://www.fail2ban.org/) or DenyHosts ( http://denyhosts.sourceforge.net/). The both scripts should work with Plesk firewall and block IPs after a few SSH login trials. I hope this helps. |
|
|
|
|
Logged
|
Kind Regards,
Vlad Artamonov
|
|
|
|
jetx
|
|
« Reply #2 on: April 12, 2008, 12:47:41 AM » |
|
Can you provide a bit of advice with regards to denyhosts. While installing it, everything went fine (VPS) including editing the cfg file. I followed the method according to http://www.howtoforge.com/preventing_ssh_dictionary_attacks_with_denyhosts?from=10&comments_per_page=10 however at the stage where a system bootup link is created the comand is not working.. ln -s /usr/share/denyhosts/daemon-control denyhosts From there it doesn't go any further. Is this an incorrect command.. really have no knowledge currently of what commands are correct. Also is there a newer FAQ you know of? Thanks. |
|
|
|
|
Logged
|
|
|
|
|
perestrelka
|
|
« Reply #3 on: April 12, 2008, 01:37:13 AM » |
|
Jetx,
What error did you get running the ln command? Unfortunately, I don't have links to other setup HOWTOs handy.
|
|
|
|
|
Logged
|
Kind Regards,
Vlad Artamonov
|
|
|
|
jetx
|
|
« Reply #4 on: April 12, 2008, 02:45:01 PM » |
|
I get this response: -bash: In: comand not found
|
|
|
|
|
Logged
|
|
|
|
|
vlad.panainte
|
|
« Reply #5 on: April 12, 2008, 04:39:12 PM » |
|
Hello
If you are running that command from shell should be working just fine
The ln command creates pseudonyms for files which allows them to be accessed by different names. These pseudonyms are called links.
Please advise what is the all command you are trying to use for be able to investigate further.
Thank you
|
|
|
|
|
Logged
|
|
|
|
|
jetx
|
|
« Reply #6 on: April 12, 2008, 07:06:22 PM » |
|
The files were installed using SSH java/app within plesk.
Files were installed and creating the config files, including /usr/bin/denyhosts.py, /var/run/denyhosts.pid, /usr/share/denyhosts/denyhosts.cfg.
Following this the instruction is chown root daemon-control, chmod 700 daemon-control. No problem.
Next the instruction was: cd /etc/init.d
Then: ln -s /usr/share/denyhosts/daemon-control denyhosts
This received the response: -bash: In: comand not found
|
|
|
|
|
Logged
|
|
|
|
|
perestrelka
|
|
« Reply #7 on: April 13, 2008, 12:49:55 AM » |
|
Hi Jetx,
Looks like you mixed up "I" (uppercase "i") and "l" (lowercase "L"). The command you need to input uses lowercase "L" - "l".
|
|
|
|
|
Logged
|
Kind Regards,
Vlad Artamonov
|
|
|
|
jetx
|
|
« Reply #8 on: April 13, 2008, 02:24:56 AM » |
|
Yes!! Thank you!
|
|
|
|
|
Logged
|
|
|
|
|
perestrelka
|
|
« Reply #9 on: April 13, 2008, 11:15:12 AM » |
|
Yes!! Thank you!
You are most welcome! |
|
|
|
|
Logged
|
Kind Regards,
Vlad Artamonov
|
|
|
|
jetx
|
|
« Reply #10 on: April 13, 2008, 03:55:18 PM » |
|
Well everything installed but it doesn't appear to be working, although the service starts I'm still getting brute force attacks without the ip being banned.
The log: SECURE_LOG = /var/log/secure
has constant attempts.
The hosts.deny: HOSTS_DENY = /etc/hosts.deny
Has nothing and is not updated.
Could you explain why?
Does this mean that tcp_wrappers is not enabled?
Really need to get this going.
|
|
|
|
|
Logged
|
|
|
|
|
jetx
|
|
« Reply #11 on: April 14, 2008, 07:30:50 PM » |
|
The other thing I would like to know is if editing the sshd_config (/etc/ssh/) is better than relying on the plesk firewall? For some reason the sshd_config is all commented out. Wouldn't it make sense to at least set:
MaxAuthTries
LoginGraceTime
Or is this file ignored by this VPS setup?
Really the documentation provided by lunar is pretty basic.. flash tutorial lol.
Ideally I'd like to figure out this damn denyhosts.. and why even with hosts.blocked instead of hosts.deny in the denyhosts.cfg it's not writing to the file.. although the message log, not secure log as stated above.. (I established this is the log which is used, and specified it in cfg).. this shows that denyhosts has recorded the attempts.
|
|
|
|
|
Logged
|
|
|
|
|
perestrelka
|
|
« Reply #12 on: April 15, 2008, 06:55:42 AM » |
|
Hi,
What is DenyHosts writing into the logs in /var/log/denyhosts? You can configure your sshd settings with sshd_config if it is required, but this won't block bruteforcing attempts. BTW, there is another drastic way to get rid of them - if your PC has a static Internet IP, you could allow SSH access only for it and a few Lunarpages hosts. These IPs can be trusted and you'll get no more bruteforcing attempts.
|
|
|
|
|
Logged
|
Kind Regards,
Vlad Artamonov
|
|
|
|
jetx
|
|
« Reply #13 on: April 15, 2008, 01:09:55 PM » |
|
The denyhosts is working now, so that's good.
You suggest only allowing SSH access to specific ip's. I've done that already in the plesk firewall. The problem there is that the firewall is not the first point of contact with the VPS (I don't think), a hardware firewall would be the way to go I guess.
Is there another way besides the plesk firewall to accomplish what you suggest? Note: I've edited the hosts.allow file to include my static ip's and localhost, 127.0.0.1, and I suppose to prevent everyone else I would edit the hosts.deny to something like SSHD:All. Not really understanding how Centos works at all, so have been somewhat reluctant to just experiment. What do you think?
|
|
|
|
|
Logged
|
|
|
|
|
perestrelka
|
|
« Reply #14 on: April 15, 2008, 09:32:42 PM » |
|
Jetx,
I'm sorry, but you are incorrect about the SSH access. Harware node intercepts only connections to Plesk and VZPP ports, the rest go to your VPS directly. Tcpwrappers (hosts.allow and hosts.deny) can be also used to restrict the access to ssh and what you would setup should work. I just would recommend not using both iptables and tcpwrappers for the same goal to not get round yourself.
|
|
|
|
|
Logged
|
Kind Regards,
Vlad Artamonov
|
|
|
|
Dilber MC Theme by HarzeM