Hacking attempts on server

[bobdole369]

We used to have brute attempts against our ftp server all the time. Former admin did not use any lockout method.

Its part of the datacenter environment. You get a block of IP's known to have machines that might be run by inept admins, its gonna happen.

That said I was proactive and took basic measures (blocking first the /32 then /29's and in one case all of a /24) (that is route to null). It took a while but eventually most of the serious attacks died down.

 

[ViviTheMage]

I already have a BS in computer science. I'm trying to start my own business so we'll see how my website and app work out.

Good luck, if you need some help, let me know .

 

[manlymatt83]

This is what I use:

-A RH-Firewall-1-INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
-A RH-Firewall-1-INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

add that to /etc/sysconfig/iptables and restart iptables...

Paste your current ruleset if you want us to make sure it won't affect any other rules.

 

[ViviTheMage]

Disable SSH outside of this :
3) Require public/private keys + passphrase for login

you'll be golden.

 

[tonygeor]

Awesome these are great tips. I've been learning pretty hardcore the last couple months.

Sometimes i feel like my CS degree only taught me to hate C++ and what a for loop is

 

[Crusty]

I wouldn't do #1. Security by obscurity is a bad habit to get into, in my opinion.

#2 sounds good.... /etc/ssh/sshd_config, PermitRootLogins No

#3 works well, but it could get annoying for you, especially if you login from different machines a lot.

#4 is the best choice, in my opinion. There's an easier way to do it with iptables (Linux) or pf (FreeBSD) that makes fail2ban not needed... I can post the one line ruleset if you'd like.

#5 is good, too.

Uhh... sure it's obscurity but it's not the only line of defense. Anything helps when you have a public facing box. Changing the port will stop 99% of the script kiddies, everything else will keep everyone else away.

If you have a hard time managing your keypairs you shouldn't be managing a server.