Welcome, Guest. Please login or register.
Did you miss your activation email?
Friday 06 December 2024, 07:07:32 am

Login with username, password and session length

CLICK HERE for the The official Endian Roadmap and Issue tracker
14261 Posts in 4377 Topics by 6517 Members
Latest Member: Sandro
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  General Support
| | |-+  Ban IP addresses?
0 Members and 0 Guests are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: Ban IP addresses?  (Read 15796 times)
physikal
Jr. Member
*
Offline Offline

Posts: 3


« on: Thursday 25 June 2009, 05:31:10 am »

I have noticed a few addresses constantly trying to brute force a few of my linux servers that are behind my EFW. These boxes have outside addresses attached to virtual interfaces via Endian.

Is there a way I can block these addresses in EFW so that they cannot get to my boxes?
Logged
gyp_the_cat
Full Member
***
Offline Offline

Posts: 81



WWW
« Reply #1 on: Thursday 25 June 2009, 11:40:08 pm »

Hi Physikal,

If you could clear up what they are trying to brute force I may be able to help more.

You can always ban their IP address via the console (on the servers or Endian) using:

Quote
iptables -A INPUT -s <IP> -j DROP

If you mean SSH brute force attempts, I found that fail2ban made a massive difference in stopping these kinda of attack.

I suppose other methods may be to just block the ports (if you can), or use Snort to sniff the packets.

Gyp
Logged
physikal
Jr. Member
*
Offline Offline

Posts: 3


« Reply #2 on: Friday 26 June 2009, 01:29:23 am »

Yes it is SSH Brute Force. Sorry I did not state that before.

So is there any GUI to manage these banned IP's? If not thats a bit surprising. I wonder why they havent put that in yet.
Logged
gyp_the_cat
Full Member
***
Offline Offline

Posts: 81



WWW
« Reply #3 on: Friday 26 June 2009, 08:32:49 am »

I'd heartily recommend you try Fail2ban on your servers, solved a heck of a lot of our problems pretty much instantly!

The firewall component on EFW is somewhat different to a lot of other products, but it's still based on excellent security principals.

I guess if you want to try this through the GUI you could always setup a NAT rule to route from the offending IPs to an empty internal IP Smiley
Logged
Pages: [1] Go Up Print 
« previous next »
Jump to:  

Page created in 0.094 seconds with 19 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com