Protect yourself from brute-forcers

Posted: August 17, 2006 at 6:56 pm | (4) Comments

Today, I recieved an email from my server notifying me that someone was actually trying to brute-force into the server so I thought I’d make a tutorial how to protect yourself or your server.

First, you’ll need APF to be installed, I’m not going to go in details on how to setup the firewall, but you’ll simply need it install so that BFD (brute force detector) can block the IP from trying to “brute force”.

Installing APF

1
2
3
4
5
6
cd ~
wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz
tar -xvzf apf-current.tar.gz
rm -f apf-current.tar.gz
cd apf-*
sudo sh install.sh

Installing BFD

1
2
3
4
5
6
cd ~
wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz
tar -xvzf bfd-current.tar.gz
rm -f bfd-current.tar.gz
cd bfd-*
sudo sh install.sh

Configuring BFD
Use your favorite text editor (I prefer nano) to edit the configuration file, /usr/local/bfd/conf.bfd

Find

1
ALERT_USR="0"

and replace it with

1
ALERT_USR="1"

Find

1
EMAIL_USR="root"

and replace it with

1
ALERT_USR="[email protected]"

Save your modifications and exit your editor, start BFD using the line

1
/usr/local/sbin/bfd -s

Now, whenever BFD will detect a bruteforce, it will email you at the email set above & BFD will run the command

1
/etc/apf/apf -d the.attackers.ip

The emails you will usually recieve look like this:

1
2
3
4
5
6
7
Jul 29 08:22:40 yourhostname sshd[21642]: Invalid user manfred from the.attackers.ip
Jul 29 08:22:40 yourhostname sshd[21643]: Invalid user michi from the.attackers.ip
Jul 29 08:22:42 yourhostname sshd[21642]: Failed password for invalid user manfred from the.attackers.ip port 48215 ssh2
Jul 29 08:22:42 yourhostname sshd[21643]: Failed password for invalid user michi from the.attackers.ip port 48223 ssh2
Jul 29 08:22:44 yourhostname sshd[21646]: Invalid user michi from the.attackers.ip
Jul 29 08:22:47 yourhostname sshd[21646]: Failed password for invalid user michi from the.attackers.ip port 48322 ssh2
Jul 29 08:22:47 yourhostname sshd[21647]: Failed password for postgres from the.attackers.ip port 48329 ssh2

Oh, and one thing I have done after I recieved the attack, I immeditaly changed the default SSH port. Use your favorite text editor (nano again!) to edit

1
/etc/ssh/sshd_config

Find

1
#Port 22

And uncomment the line (Remove the #) and replace the 22 by the port you want SSH to use (Max. port number is 49151 so make sure you don’t put anything past that. Afterwards, restart SSH. Usually on CentOS it is

1
service sshd restart

and in other operating systems, it is

1
/etc/rc.d/init.d/sshd restart

After getting attacked, I did a WHOIS on the IP (Run

1
whois the.attackers.ip

). You’ll usually see one of the emails something like [email protected].

Make sure to send them an email including the logs from the email, your server IP and the attackers IP.

Thanks alot for reading

Newer Entries »
Subscribe

Categories

Archives

Using another web host?

We understand how difficult switching web hosting companies can get, that is why we assist all of our new clients by handling the complete moving procedure for free! We make switching hosts quick and easy for you, we'll move your files and your databases from your old host to our servers all for free.
What our clients are saying — Read More →

Although I have been a client with vexxhost for a few months the support that I have received from them and the assistance and online help has been awesome to say the least, I have one site in particular which has OVER 70 active members and I do not have any worries in regards to data loss as vexxhost's backup systems and protocols in place allow for minimal data loss given any circumstances ie: poor management on my part or hacks, etc. On other peoples parts and so alike. I also wish to extend my thanks and gratitude to vexxhost and hope to continue a valued client and that you also will continue to be a valued host of my major site along with the rest of my sites hosted at vexxhost.


Dean
Awards — View More →
Technology Partners