Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : Hosting Security and Technology Tutorials : Protect yourself from brute-forcers!

[vx|brian]

Hello everyone!

I have been new in the hosting industry but the security was never new for me, I hardened and did all the methods to secure my server. As a very new company and getting sales only from AdWords, I didn't expect my hardening a need but still did it.

Until today, I recieved an email from my server notifying me that someone was actually trying to brute-force into the server so I thought I'd make a tutorial how to protect yourself.

First, you'll need APF to be installed, I'm not going to go in details on how to setup the firewall, but you'll simply need it install so that BFD (brute force detector) can block the IP from trying to "brute force".

Installing APF
cd ~
wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz
tar -xvzf apf-current.tar.gz
rm -f apf-current.tar.gz
cd apf-*
sudo sh install.sh

Installing BFD
cd ~
wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz
tar -xvzf bfd-current.tar.gz
rm -f bfd-current.tar.gz
cd bfd-*
sudo sh install.sh

Configuring BFD
Use your favorite text editor (I prefer nano) to edit the configuration file, /usr/local/bfd/conf.bfd

Find
ALERT_USR="0"
and replace it with
ALERT_USR="1"

Find
EMAIL_USR="root"
and replace it with
ALERT_USR="your.email@webserver.com"

Save your modifications and exit your editor, start BFD using the line
/usr/local/sbin/bfd -s

Now, whenever BFD will detect a bruteforce, it will email you at the email set above & BFD will run the command /etc/apf/apf -d the.attackers.ip

The emails you will usually recieve look like this:

Jul 29 08:22:40 yourhostname sshd[21642]: Invalid user manfred from the.attackers.ip
Jul 29 08:22:40 yourhostname sshd[21643]: Invalid user michi from the.attackers.ip
Jul 29 08:22:42 yourhostname sshd[21642]: Failed password for invalid user manfred from the.attackers.ip port 48215 ssh2
Jul 29 08:22:42 yourhostname sshd[21643]: Failed password for invalid user michi from the.attackers.ip port 48223 ssh2
Jul 29 08:22:44 yourhostname sshd[21646]: Invalid user michi from the.attackers.ip
Jul 29 08:22:47 yourhostname sshd[21646]: Failed password for invalid user michi from the.attackers.ip port 48322 ssh2
Jul 29 08:22:47 yourhostname sshd[21647]: Failed password for postgres from the.attackers.ip port 48329 ssh2

Oh, and one thing I have done after I recieved the attack, I immeditaly changed the default SSH port. Use your favorite text editor (nano again!) to edit /etc/ssh/sshd_config

Find
#Port 22
And uncomment the line (Remove the #) and replace the 22 by the port you want SSH to use (Max. port number is 49151 so make sure you don't put anything past that. Afterwards, restart SSH. Usually on CentOS it is service sshd restart and in other operating systems, it is /etc/rc.d/init.d/sshd restart

After getting attacked, I did a WHOIS on the IP (Run whois the.attackers.ip). You'll usually see one of the emails something like abuse@somedomain.com.

Make sure to send them an email including the logs from the email, your server IP and the attackers IP.

Thanks alot for reading

[herzigint]

Great tutorial ! Easy to follow and about a subject not to be missed! Thanks!

-Sebastian

[grandad]

Is this compatible with Frontpage extensions being used on a server?

[vx|brian]

Quote:

Originally Posted by grandad

Is this compatible with Frontpage extensions being used on a server?

I don't see any reasons why it wouldn't. My server runs cPanel with Frontpage and it causes no problems.

[nick125]

I use denyhosts, and it works pretty well for me. The main issue with using something that adds the offending host to a firewall is that, if the attacker had access to enough hosts, they could potentially cause a DDoS effect to the server, and potentially crash the server. Denyhosts just adds the offending host to the /etc/hosts.deny file. One of the best features of denyhosts is the sync feature, which stops most attacks before they even start attacking your server. I love it

[herzigint]

WOW! Installed it yesterday and got my first message today in the morning! LOL! Did a whois, and it seemed to have come from a computer company... anyway, I initiated the necessary steps!

-Sebastian

[tamar]

Very nice tutorial!

Thanks for sharing.

[Gazza-t]

i allready have APF & BFD installed, changed port etc,
can port 22 totally be closed in the firewall ??

thank you

[vx|brian]

Once you changed ports and SSH is not at port 22. It is considered as a closed port, you don't need to close it.

[HD Fanatic]

does BFD autorun at boot?

[vx|brian]

Yes, it will start. It's run by a timed cronjob so it will run when you boot your server/computer.

[Gazza-t]

Quote:

Originally Posted by vexxhost

Once you changed ports and SSH is not at port 22. It is considered as a closed port, you don't need to close it.

thanks for your reply

[vx|brian]

No problem.

[Digiover]

Quote:

Originally Posted by nick125

I use denyhosts, and it works pretty well for me. The main issue with using something that adds the offending host to a firewall is that, if the attacker had access to enough hosts, they could potentially cause a DDoS effect to the server, and potentially crash the server. Denyhosts just adds the offending host to the /etc/hosts.deny file. One of the best features of denyhosts is the sync feature, which stops most attacks before they even start attacking your server. I love it

Why not just add your IP address to /etc/hosts.allow (for the service sshd) and deny all others? That is, if you are not offering ssh access to your customers of course.
I am no fan of binding sshd to an alternate port, therefor this is my favorite solution.

[vx|brian]

However, Digiover. Most ISP's here in Canada & USA do -not- have static IPs, means if you reconnect or get disconnected, you're pretty much locked out. :-)