How do you protect against brute force for SSH?
Is it possible to limit # of connections per IP per hour/day/etc? If so, how?

How do you protect against brute force for WHM/CPanel?
Is it possible to limit # of connections per IP per hour/day/etc/? If so, how?


Thanks in advance :)

Greetings:

Use tcpwrappers and your firewall to limit who can SSH.

Thank you.

Yep, that would be the best way;)
Just remember limiting connections will not always work as there are many brute force program that simply trick the server

Couple ideas:

1. Disable root logins to SSH. (Change PermitRootLogin to no in sshd_config).

2. Setup iptables to only allow access to SSH from certain IP addresses.

Another option might be 'port knocking', though it's certainly not the perfect option.

Steve

port knocking would just be annoying for authentic users:cool:

Agreed on port knocking fusionx1. Just thought it was worth a mention for the original poster.

You can use swatch to monitor log file and do whatever you want ;)
http://swatch.sourceforge.net/

Originally posted by ewhost
How do you protect against brute force for SSH?
Is it possible to limit # of connections per IP per hour/day/etc? If so, how?

How do you protect against brute force for WHM/CPanel?
Is it possible to limit # of connections per IP per hour/day/etc/? If so, how?


Thanks in advance :)

APF + BFD should do the job for you.

WHM + CPANEL Does not log logins.

if you use BFD, make sure in setup, you DO NOT activate the email alert.

WHY?

Because if your in automatic brute force attack (i.e. hundreds or thousands of attempts in very short period), than email alert will try to send "ALERT EMAILS" for each one of them, causing mail server to go insane as it will be processing those huge amount of emails in very short period, that could crash your server and severely damage ur filesystem & HDD causing lose of DATA.

Originally posted by RaviSharma
if you use BFD, make sure in setup, you DO NOT activate the email alert.

WHY?

Because if your in automatic brute force attack (i.e. hundreds or thousands of attempts in very short period), than email alert will try to send "ALERT EMAILS" for each one of them, causing mail server to go insane as it will be processing those huge amount of emails in very short period, that could crash your server and severely damage ur filesystem & HDD causing lose of DATA.


You can use swatch and its Throttle option to avoid repeated alerts,

1) Configure the Swatch on all the logs
2) use the Throttle option with swatch, which will alert only if the threshold is reach for the log pattern

3) make small script to block ip address base on the swatch alert ..

with swatch you can tail any number logs
/var/log/secure
apache access_log
and many more

hope that helps

Originally posted by rishidude
APF + BFD should do the job for you.

Where would I get these products?

Guide to BDF = http://www.webhostgear.com/60.html
Guide to APF = http://www.webhostgear.com/61.html

Both are done by http://www.rfxnetworks.com/index.php

Hmm BFD doesn't send a single alert for every single attempt for me. Instead it sends all the login attemps from one IP in a single mail until the user is blocked.