EFW Support

Support => General Support => Topic started by: physikal on Thursday 25 June 2009, 05:31:10 am



Title: Ban IP addresses?
Post by: physikal on Thursday 25 June 2009, 05:31:10 am
I have noticed a few addresses constantly trying to brute force a few of my linux servers that are behind my EFW. These boxes have outside addresses attached to virtual interfaces via Endian.

Is there a way I can block these addresses in EFW so that they cannot get to my boxes?


Title: Re: Ban IP addresses?
Post by: gyp_the_cat on Thursday 25 June 2009, 11:40:08 pm
Hi Physikal,

If you could clear up what they are trying to brute force I may be able to help more.

You can always ban their IP address via the console (on the servers or Endian) using:

Quote
iptables -A INPUT -s <IP> -j DROP

If you mean SSH brute force attempts, I found that fail2ban (http://www.fail2ban.org/wiki/index.php/Main_Page) made a massive difference in stopping these kinda of attack.

I suppose other methods may be to just block the ports (if you can), or use Snort to sniff the packets.

Gyp


Title: Re: Ban IP addresses?
Post by: physikal on Friday 26 June 2009, 01:29:23 am
Yes it is SSH Brute Force. Sorry I did not state that before.

So is there any GUI to manage these banned IP's? If not thats a bit surprising. I wonder why they havent put that in yet.


Title: Re: Ban IP addresses?
Post by: gyp_the_cat on Friday 26 June 2009, 08:32:49 am
I'd heartily recommend you try Fail2ban on your servers, solved a heck of a lot of our problems pretty much instantly!

The firewall component on EFW is somewhat different to a lot of other products, but it's still based on excellent security principals.

I guess if you want to try this through the GUI you could always setup a NAT rule to route from the offending IPs to an empty internal IP :)