|
Title: Ban IP addresses? Post by: physikal on Thursday 25 June 2009, 05:31:10 am I have noticed a few addresses constantly trying to brute force a few of my linux servers that are behind my EFW. These boxes have outside addresses attached to virtual interfaces via Endian.
Is there a way I can block these addresses in EFW so that they cannot get to my boxes? Title: Re: Ban IP addresses? Post by: gyp_the_cat on Thursday 25 June 2009, 11:40:08 pm Hi Physikal,
If you could clear up what they are trying to brute force I may be able to help more. You can always ban their IP address via the console (on the servers or Endian) using: Quote iptables -A INPUT -s <IP> -j DROP If you mean SSH brute force attempts, I found that fail2ban (http://www.fail2ban.org/wiki/index.php/Main_Page) made a massive difference in stopping these kinda of attack. I suppose other methods may be to just block the ports (if you can), or use Snort to sniff the packets. Gyp Title: Re: Ban IP addresses? Post by: physikal on Friday 26 June 2009, 01:29:23 am Yes it is SSH Brute Force. Sorry I did not state that before.
So is there any GUI to manage these banned IP's? If not thats a bit surprising. I wonder why they havent put that in yet. Title: Re: Ban IP addresses? Post by: gyp_the_cat on Friday 26 June 2009, 08:32:49 am I'd heartily recommend you try Fail2ban on your servers, solved a heck of a lot of our problems pretty much instantly!
The firewall component on EFW is somewhat different to a lot of other products, but it's still based on excellent security principals. I guess if you want to try this through the GUI you could always setup a NAT rule to route from the offending IPs to an empty internal IP :) |