Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : Hosting Security and Technology Tutorials : iptables or host.deny for VPS & fail2ban?

[dvessel]

Hello, I recently got myself into an unmanaged VPS package and I noticed in my log files, countless attempts to ssh into the system. After a bit of searching, fail2ban looked like a good way to ban the brute force attacks automatically.

My question is what should I configure it with? There's the option for iptables or host.deny. I've read that iptables are not fully supported under Virtuozzo but the stuff I've read are a bit dated. Are there still some issues with iptables under Virtuozzo?

What I'm using now:
*Virtuozzo 3 -not sure on exact version. Whatever SolarVPS is using.
*Signed up with centos4
*uname -r = 2.6.9-022stab078.14-enterprise

Thanks!

[dvessel]

Wow! Not sure how I posted here. Meant to be one level down.

[dvessel]

I'm really feeling like a fool. ~heh

It looks like iptables works just fine. Being new to this I was afraid of screwing things up but I tried it and it's working beautifully.

Please, move or delete the thread.

[Jeremy]

in the deny i have
sshd: ALL

and in the allow
sshd: 66.229.152. # jeremy

Works good for me

[YICHosting]

I know this thread is extremely old, but still it could be helpful to someone else getting brute force attacks over SSH.

A good piece of software to use would be DenyHosts. It is software that will parse your log files for failed SSH login attempts. If an IP address tries gets too many invalid passwords, DenyHosts will add the IP to /etc/hosts.deny, or whatever file you specify, depending on your OS.

Might be worth looking at, it's pretty reliable. Just Google "DenyHosts", I would post a link but have to make a few more posts first.

[jamesapnic]

Personally, what we do is move ssh to a different port if firewalling is not practical which it sometimes isn't. That way you will not get targeted by all of the mass scans. If you do get any it will be from a determined attacker and you can be sure you are being targeted by someone, which is useful information and you can block their entire IP range on all of your servers.

[insanelymacintosh]

I agree with Jamesapnic. Change the SSH port. This (while not being 100% bulletproof effective) does help.

[abhishek11683]

Seems to be a good option posted here but if you really want to protect your server more then disable default root access. That is in order to access the server then first access via a user and then login as root from there.