Shaun Wingrin
asked on
Linux CentOS Server Probe attack - how to detect and block
Say,
The IP xxx.xxx.xxx.xxx seriously probed the server.
Ideally we should try find some software that if an IP starts to probe the
server its gets automatically blocked.
Do you know of software for this?
RedHat/CentOS server
The IP xxx.xxx.xxx.xxx seriously probed the server.
Ideally we should try find some software that if an IP starts to probe the
server its gets automatically blocked.
Do you know of software for this?
RedHat/CentOS server
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I use fail2ban [with iptables]. That's what I would recommend.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you have your IPtables firewall setup properly, only certain ports (for which you have a service running) will be open...
But you're right if you say "dropping" all the failed requests in a port scan isn't enough... that's why I prefer a "tarpit" approach...
In addition, even though I allow SSH access to my server, I use fail2ban to stop potential attackers from attempting to break in the old-fashoined way (password guessing).
Just my 2-cents worth...
Dan
IT4SOHO
But you're right if you say "dropping" all the failed requests in a port scan isn't enough... that's why I prefer a "tarpit" approach...
Read Symantec's take here:
In addition, even though I allow SSH access to my server, I use fail2ban to stop potential attackers from attempting to break in the old-fashoined way (password guessing).
Just my 2-cents worth...
Dan
IT4SOHO
ASKER
tx for feedback - investigating...
IIRC fail2ban's main purpose is to detect failed logins and block those IPs, but not to detect portscans or whatever
anyway, step in the right direction ...
Actually there are several tools and several ways, the most important thing is to find out how to make it work for you. For example, with fail2ban you could have a failregex that reads from your syslog/messages all entries with an specific pattern, defined by iptables with its "-j LOG --log-prefix", so when iptables reads a PORT DENIED: it will append it to syslog/messages and fail2ban will detect the ip address and automatically ban it.
In short, in iptables:
"-A <chain_name> -j LOG --log-prefix "PORT DENIED: " --log-level 5 --log-ip-options --log-tcp-options --log-tcp-sequence"
In fail2ban:
"failregex = PORT DENIED: .* SRC=<HOST> "
[portscan]
enabled = true
filter = portscan
action = iptables[name=portscan]
logpath = /var/log/messages
maxretry = 3
P.S.: this was not of my personal knowledge, its just an example I found and documented at: http://www.irrexpr.com/2013/06/using-iptables-logging-and-fail2ban-to.html
ASKER
tx!
ASKER
Is perhaps on the track...
Pleae explain this command.
However we need a program that automatically can detect and block this type of probing!