Help against Brute Force
I am tired of looking at my /var/log/messages and seeing millions of:
...error: PAM: authentication error for illegal user ...
How can I stop these brute force attacks?
...error: PAM: authentication error for illegal user ...
How can I stop these brute force attacks?
jramsier
Do you have a Firewall? If so what is open on the firewall? If it is like FTP or something you change change the port numbers.
ASKER
I know this is a really stupid question, but how do I know if I have a firewall?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have read the FreeBSD handbook about firewalls, and it's a bit overwhelming. Here is what I'm thinking about doing, after I get the blessing of a few experts:
in rc.conf put statement ipfilter_enable="YES"
and then:
cd /usr/ports/security/py-fai
make install clean
Does this sound reasonable?
in rc.conf put statement ipfilter_enable="YES"
and then:
cd /usr/ports/security/py-fai
make install clean
Does this sound reasonable?
Once you enable the firewall, you need to list out the rules. If everything is allowed, consider restricting critical services by IP and/or subnet. It surely doesn't hurt to start with a bare firewall and run fail2ban -- but you definitely need to expand upon the rules.
ASKER
I'm so sorry, this is all very new to me. So should I do what I said above? And then how do I list out the rules.
ASKER
I've also been reading about bruteblock, bruteforceblocker and denyhosts, and wonder if they might do what I need.
ASKER
Also snort
are you plugged in behind a router? If not routers have firewalls in them and this will help out a lot. Dont know much about FreeBSD.
This search result might help:
http://www.google.com/search?q=FreeBSD+firewall&sourceid=ie7&rls=com.microsoft:en-us:IE-SearchBox&ie=&oe=
This search result might help:
http://www.google.com/search?q=FreeBSD+firewall&sourceid=ie7&rls=com.microsoft:en-us:IE-SearchBox&ie=&oe=
Not all routers have firewalls. And, if he's seeing brute force attacks, he needs the server firewall turned on.
ok , basically the idea of brute force is dictionary related, multiple ips trying logins and passwords , this also depends what your trying to protect from this sort of attack. WWW, SSHD etc etc.
denyhosts is a great start, check it out it has multiple applications.
basically this kind of thing can be limited at the IPFW2 freebsd has if its built into the kernal to be enabled.
the command i use for this is as follows
$fwcmd add 63000 deny tcp from any to any limit src-addr 5
basically towrds the end of the firewall control file , this means deny everything else from anywhere to anywhere but limit the source ip to 5 connection attempts. After this the connection attempt simple gets droped. you can choose to log this or play with the rule for WWW or SSHD connections.
denyhosts is a great start, check it out it has multiple applications.
basically this kind of thing can be limited at the IPFW2 freebsd has if its built into the kernal to be enabled.
the command i use for this is as follows
$fwcmd add 63000 deny tcp from any to any limit src-addr 5
basically towrds the end of the firewall control file , this means deny everything else from anywhere to anywhere but limit the source ip to 5 connection attempts. After this the connection attempt simple gets droped. you can choose to log this or play with the rule for WWW or SSHD connections.