Today, I recieved an email from my server notifying me that someone was actually trying to brute-for...
Today, I recieved an email from my server notifying me that someone was actually trying to brute-force into the server so I thought I'd make a tutorial how to protect yourself or your server.
First, you'll need APF to be installed, I'm not going to go in details on how to setup the firewall, but you'll simply need it install so that BFD (brute force detector) can block the IP from trying to “brute force”.
Installing APF
```
$ cd ~
$ wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz
$ tar -xvzf apf-current.tar.gz
$ rm -f apf-current.tar.gz
$ cd apf-*
$ sudo sh install.sh
```
Installing BFD
```
$ cd ~
$ wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz
$ tar -xvzf bfd-current.tar.gz
$ rm -f bfd-current.tar.gz
$ cd bfd-*
$ sudo sh install.sh
```
Configuring BFD
Use your favorite text editor (I prefer nano) to edit the configuration file, /usr/local/bfd/conf.bfd.
```
-ALERT_USR="0"
+ALERT_USR="1"
```
```
-EMAIL_USR="root"
+EMAIL_USR="your.email@webserver.com"
```
Save your modifications and exit your editor, start BFD by running /usr/local/sbin/bfd -s. Now, whenever BFD will detect a bruteforce, it will email you at the email set above & BFD will run the command /etc/apf/apf -d the.attackers.ip. The emails you will usually recieve look like this:
```
Jul 29 08:22:40 yourhostname sshd[21642]: Invalid user manfred from the.attackers.ip
Jul 29 08:22:40 yourhostname sshd[21643]: Invalid user michi from the.attackers.ip
Jul 29 08:22:42 yourhostname sshd[21642]: Failed password for invalid user manfred from the.attackers.ip port 48215 ssh2
Jul 29 08:22:42 yourhostname sshd[21643]: Failed password for invalid user michi from the.attackers.ip port 48223 ssh2
Jul 29 08:22:44 yourhostname sshd[21646]: Invalid user michi from the.attackers.ip
Jul 29 08:22:47 yourhostname sshd[21646]: Failed password for invalid user michi from the.attackers.ip port 48322 ssh2
Jul 29 08:22:47 yourhostname sshd[21647]: Failed password for postgres from the.attackers.ip port 48329 ssh2
```
Oh, and one thing I have done after I recieved the attack, I immeditaly changed the default SSH port. Use your favorite text editor (nano again!) to edit /etc/ssh/sshd_config.
Find
```
#Port 22
```
Uncomment that line (Remove the #) and replace the 22 by the port you want SSH to use (Max. port number is 49151 so make sure you don't put anything past that. Afterwards, restart SSH. Usually on CentOS it is service sshd restart and in other operating systems, it is /etc/rc.d/init.d/sshd restart.
If you are interested in reading our other blog posts, you can check them out on our website. If you have any questions, you can communicate with us through our Contact Us page. One of our support team member will be more than happy to assist you.
Don't forget to follow us on Twitter for announcements, news and update - @vexxhost.
How to Up Your DevOps Game with Project Gating: Zuul - A CI/CD Gating Tool
Download White Paper
