Ban IP addresses?

[Guest]

[physikal]

I have noticed a few addresses constantly trying to brute force a few of my linux servers that are behind my EFW. These boxes have outside addresses attached to virtual interfaces via Endian.

Is there a way I can block these addresses in EFW so that they cannot get to my boxes?

[gyp_the_cat]

Hi Physikal,

If you could clear up what they are trying to brute force I may be able to help more.

You can always ban their IP address via the console (on the servers or Endian) using:

iptables -A INPUT -s <IP> -j DROP

If you mean SSH brute force attempts, I found that fail2ban made a massive difference in stopping these kinda of attack.

I suppose other methods may be to just block the ports (if you can), or use Snort to sniff the packets.

Gyp

[physikal]

Yes it is SSH Brute Force. Sorry I did not state that before.

So is there any GUI to manage these banned IP's? If not thats a bit surprising. I wonder why they havent put that in yet.

[gyp_the_cat]

I'd heartily recommend you try Fail2ban on your servers, solved a heck of a lot of our problems pretty much instantly!

The firewall component on EFW is somewhat different to a lot of other products, but it's still based on excellent security principals.

I guess if you want to try this through the GUI you could always setup a NAT rule to route from the offending IPs to an empty internal IP