Hello everyone!

I have been new in the hosting industry but the security was never new for me, I hardened and did all the methods to secure my server. As a very new company and getting sales only from AdWords, I didn't expect my hardening a need but still did it.

Until today, I recieved an email from my server notifying me that someone was actually trying to brute-force into the server so I thought I'd make a tutorial how to protect yourself.

First, you'll need APF to be installed, I'm not going to go in details on how to setup the firewall, but you'll simply need it install so that BFD (brute force detector) can block the IP from trying to "brute force".

Installing APF
cd ~
wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz
tar -xvzf apf-current.tar.gz
rm -f apf-current.tar.gz
cd apf-*
sudo sh install.sh

Installing BFD
cd ~
wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz
tar -xvzf bfd-current.tar.gz
rm -f bfd-current.tar.gz
cd bfd-*
sudo sh install.sh

Configuring BFD
Use your favorite text editor (I prefer nano) to edit the configuration file, /usr/local/bfd/conf.bfd

Find
ALERT_USR="0"
and replace it with
ALERT_USR="1"

Find
EMAIL_USR="root"
and replace it with
ALERT_USR="your.email@webserver.com"

Save your modifications and exit your editor, start BFD using the line
/usr/local/sbin/bfd -s

Now, whenever BFD will detect a bruteforce, it will email you at the email set above & BFD will run the command /etc/apf/apf -d the.attackers.ip

The emails you will usually recieve look like this:
Jul 29 08:22:40 yourhostname sshd[21642]: Invalid user manfred from the.attackers.ip
Jul 29 08:22:40 yourhostname sshd[21643]: Invalid user michi from the.attackers.ip
Jul 29 08:22:42 yourhostname sshd[21642]: Failed password for invalid user manfred from the.attackers.ip port 48215 ssh2
Jul 29 08:22:42 yourhostname sshd[21643]: Failed password for invalid user michi from the.attackers.ip port 48223 ssh2
Jul 29 08:22:44 yourhostname sshd[21646]: Invalid user michi from the.attackers.ip
Jul 29 08:22:47 yourhostname sshd[21646]: Failed password for invalid user michi from the.attackers.ip port 48322 ssh2
Jul 29 08:22:47 yourhostname sshd[21647]: Failed password for postgres from the.attackers.ip port 48329 ssh2
Oh, and one thing I have done after I recieved the attack, I immeditaly changed the default SSH port. Use your favorite text editor (nano again!) to edit /etc/ssh/sshd_config

Find
#Port 22
And uncomment the line (Remove the #) and replace the 22 by the port you want SSH to use (Max. port number is 49151 so make sure you don't put anything past that. Afterwards, restart SSH. Usually on CentOS it is service sshd restart and in other operating systems, it is /etc/rc.d/init.d/sshd restart

After getting attacked, I did a WHOIS on the IP (Run whois the.attackers.ip). You'll usually see one of the emails something like abuse@somedomain.com.

Make sure to send them an email including the logs from the email, your server IP and the attackers IP.

Thanks alot for reading :)

Great tutorial :)! Easy to follow and about a subject not to be missed! Thanks!

-Sebastian

Is this compatible with Frontpage extensions being used on a server?

Is this compatible with Frontpage extensions being used on a server?

I don't see any reasons why it wouldn't. My server runs cPanel with Frontpage and it causes no problems.

I use denyhosts, and it works pretty well for me. The main issue with using something that adds the offending host to a firewall is that, if the attacker had access to enough hosts, they could potentially cause a DDoS effect to the server, and potentially crash the server. Denyhosts just adds the offending host to the /etc/hosts.deny file. One of the best features of denyhosts is the sync feature, which stops most attacks before they even start attacking your server. I love it :)

WOW! Installed it yesterday and got my first message today in the morning! LOL! Did a whois, and it seemed to have come from a computer company... anyway, I initiated the necessary steps!

-Sebastian

Very nice tutorial! :)

Thanks for sharing.

i allready have APF & BFD installed, changed port etc,
can port 22 totally be closed in the firewall ??

thank you

Once you changed ports and SSH is not at port 22. It is considered as a closed port, you don't need to close it.

does BFD autorun at boot?

Yes, it will start. It's run by a timed cronjob so it will run when you boot your server/computer.

Once you changed ports and SSH is not at port 22. It is considered as a closed port, you don't need to close it.
thanks for your reply

No problem. :)

I use denyhosts, and it works pretty well for me. The main issue with using something that adds the offending host to a firewall is that, if the attacker had access to enough hosts, they could potentially cause a DDoS effect to the server, and potentially crash the server. Denyhosts just adds the offending host to the /etc/hosts.deny file. One of the best features of denyhosts is the sync feature, which stops most attacks before they even start attacking your server. I love it :)
Why not just add your IP address to /etc/hosts.allow (for the service sshd) and deny all others? That is, if you are not offering ssh access to your customers of course.
I am no fan of binding sshd to an alternate port, therefor this is my favorite solution.

However, Digiover. Most ISP's here in Canada & USA do -not- have static IPs, means if you reconnect or get disconnected, you're pretty much locked out. :-)

However, Digiover. Most ISP's here in Canada & USA do -not- have static IPs, means if you reconnect or get disconnected, you're pretty much locked out. :-)

yep. this is only practical if you have easy physical access to your server.

Changing just the default SSH port is a lazy attempt at security.

If you disable password authentication, only allow publickey authentication, and have a reasonably long passphrase, you wont have any unauthorized SSH logins - ever.

[QUOTE=
I am no fan of binding sshd to an alternate port, therefor this is my favorite solution.[/QUOTE]

SSH on another port and IP is a great way to go, pick one with no other services and it makes it more difficult for attacks, don't forget your ip/port combo.

A couple weeks ago, I ran a script that tried to log in via FTP with a bad user/pass, and locked myself out of my own server. - If you can't see any of your own sites all of a sudden after a bonehead move like mine, yet they are up from elsewhere, find another ip... plug a latop or other system into your dynamic to get a new ip address (works for me), log in as normal and take your ip out of the deny.hosts

If you don't want to someone to bruteforce in the first place, you should use ssh key authentication (if you have one or a limited number of people who will login this is a good strategy).

here's two random links about it
http://kimmo.suominen.com/docs/ssh/
http://www.cs.uwaterloo.ca/cscf/howto/ssh/public_key/

thanks for this tut dear

I am facing a serious problem here:
The server I was before was banning my IP after about 30 attempts to brute force into my own whm.
The server I am now does not, even after 80 manual tries to hack my own whm!!! I have asked my current host and he said that he has APF/BFD installed.
I do believe him, however I think he has not set some variables strict enough to consider 30 login attemts as hack attempts.
Do you know which variables/settings in BFD determine the number of acceptable failures?

Rocco.

isnt there any script which when someone attack the server repeatly to auto send email at the abuse dep of the ISP ? and not have to make whois IP and then send it manually ?

Thanks

Oh Also just with having a APF and BFD you are protected? what other software could we add for extra security?

Thanks again..

What I should put in /etc/apf/allow_hosts.conf if I want to allow ssh access only from xxx.xxx.xx.xx/24 subnet?

Thanks

Oh Also just with having a APF and BFD you are protected? what other software could we add for extra security?

Thanks again..

Don’t forget deny_hosts.rules. If you have a niche website specific to a country it may be worth looking into if you’re able to afford blocking ranges. To get Ips by country, try http://software77.net/cgi-bin/ip-country/geo-ip.pl. Note that it’s not fool proof since there may be some leakage as far as ip ownership.

In my situation, the bigger problem is lack of time – not enough hours in a day. However, when I blocked a large range from Brazil, I saw an immediate and positive affect. On a side note, no disrespect is meant to Brazil, since all country are affected and the website I mention does not relate to that area.

Immediate benefit I received was quicker load time on my website. Midterm benefit has been increased income. Long-term benefit - don’t know yet.

thanks for this

I'm suprised BFD is still so popular, I thought there would be some updates to the app but they never came..

Oh Also just with having a APF and BFD you are protected? what other software could we add for extra security?

Don't use APF/BFD, they're somewhat outdated and problematic.
Go with CSF (http://www.configserver.com/cp/csf.html) which handles everything APF and BFD should do and so much better.

With APF/BFD, there are multiple configuration files for each application (ssh, http, blah blah blah), all requiring separate triggers and the like. With CSF, it's a one time deal.

With APF/BFD, I noticed multiple attempts just got away with nothing, with CSF not so.

APF's "ddos" module is nothing but beta. I've seen it work and not work, but typically it works far too well, blocking people too quickly, or not quickly enough. CSF, on the other hand has rather effective DDOS protection built into LFD (distributed with and part of CSF).

You really should check out CSF/LFD if you're still using the old setup of APF/BFD, they're MUCh more efficient.

Great tutorial, thanks alot :)

Hello
Has anybody bfd modified for SuSe ? Or what firewall do you use on SuSe ?
Best regards

I agree with linux-tech,

I have switched over from APF / BFD to CSF / LFD for the same reasons stated. It works great with CPanel / WHM and is highly configurable from within WHM itself. I did use APF / BFD for a while but found it to be a resource hog. With CSF / LFD I haven't seen a noticble increase in resource useage.

According to the ConfigServer website, CFS / LFD is also compatible with openSUSE v10 .

Vince

rfxnetworks.com is down... anyone know anything about this?

No response at 9:32A Central - Try CFS. I can't paste the URL since I don't have at least 5 posts yet :) But linux-tech included the URL in his previous post # 27 in this thread.

i run a plesk server though and I don't think CSF works on plesk

You can use ELS to install APF and BFD. Or download them from: http://www.servermonkeys.com/projects/els/ (there you will find apf and bfd tarballs)