Brute force attacks

Hi, some readers here will know that I am pretty inexperienced so I am very pleased to see a “Newbies” forum. Thanks for that.

Like many others I see brute force attacks on my server and so far, it seems that none have managed. Provided secure passwords are used and all other aspects of security are as they should be, I guess I should not be too worried. On the other hand I shouldn’t be too complacent, particularly since I am a newbie.

I have seen in the logs (and via Logwatch) brute force attempts to gain access via SSH, POP3 and FTP.

I am happy that SSH is not a problem because access is barred from all but two IP numbers.

That leaves POP3 and FTP.

I think I would like to ban an IP number for, say 5 minutes after say, 3 incorrect login attempts.

I have dug around and cannot find anything built in in PAM, Pro-Ftp, Dovecot etc.

I have tried to learn about IP Tables but having a hard time knowing exactly what I should do and being aware that I could lock myself out. Add to that a lot of conflicting info on the web.

So I did some searching for alternatives. Fail2Ban sounds like the type of thing I am looking for.

If I install Fail2Ban, will that conflict with VM or WM ?

Has anybody got any better suggestions ?

Am I missing something ?

Apologies for continuing to harass you guys.

Thanks for reading.

personally I am not a fan of banning IP’s. Often the attacks are random and done by scripts and/or kiddies, also what if they are on temporary IP’s? You’ll ban an IP that might belong to a (potential) customer in the future.

I would sooner worry about scripts running under useraccounts that can be hacked, then use that account to gain more privileges (roundcube, per haps joomla and other popular scripts).

There are tools that can read logfiles, making it somewhat easier to go through them. Keeping close eyes on logfiles is important to find the persistent ones, then lock them out.

There is also a thread somewhere with advanced firewall rules you might be interested in. But I cant seem to find that thread anymore. It used drop before establishing.

Have good passwords, keep scripts up-to-date, read logs every day.

OSSEC is an option for you. http://www.ossec.net/

I use it on my server, with active response enabled, which disables IP addresses that generate alerts like brute force alerts etc.

I’m in the same boat as the Dim Git and have noticed brute force attacks already. All my passwards are 8 charchaters + in length and consist of random letters and numbers, different case etc so Id assume those are secure.

OSSEC looks interesting to me is it hard to setup and configure? Also does it require a lot of resources? I’m limited to 256mb of ram at the moment.

Thanks for your replies people.

I know this is somewhat off topic for this board and apologise. If this is a step too far, feel free to chastise me/tell me to go away (or similar). :slight_smile:

I am running Logwatch and check that daily, occasionally going into the logs themselves.

I am sure this topic has been discussed ad nauseum elsewhere and I don’t wish to take this thread along the same lines, but here is my feeling as an inexperienced Dim Git. :slight_smile:

Assuming all other points, like scripts vulnerabilities (thanks Ronald) are covered and good passwords are used the system should be fairly safe.

There is always the possibility that a user might change their password to something less safe or even a seemingly safe password is not to safe.

By the time an intrusion is spotted in Logwatch, it has already happened and the damage may have already been done. Whereas an active detection and temporary ban of the IP number for maybe 5 minutes might help deter some. I guess I am looking at closing another potential route.

OSSEC looks like the sort of facility I need (thanks jahlewis) although does look to do much more than my initial requirements. I have been doing some reading, guess I need to do more because the www.ossec.net site has a number of broken links etc. which makes it difficult.

Installation does look like it is fairly straighforward but it also looks like there might be a lot of “tweaking” to be done. That is a point which I feel less competent about.

Many thanks for posting your responses, Google, here I come. :slight_smile:

[cite]I know this is somewhat off topic for this board and apologise. If this is a step too far, feel free to chastise me/tell me to go away (or similar). :-)[/cite]

You should certainly feel free to talk about this stuff :slight_smile:

Nearly everyone here is into web hosting, and exchanging ideas on how security is handled is certainly both welcome and relevant.

Have a good one!

-Eric

what are the log tools I should be using to make spotting intrusions and attacks easier?

this thread: http://www.virtualmin.com/node/10338 contains a link to samhain (good for 1 or more server(s) and a link to loganalysis (many tools)

What would be the most straightforward to use for the beginner ?

I would probably go for Guard myself. It is written by a czech developer and the czech are often solid in whatever they produce. (not much english in there though)

but its a personal choice I guess. You can try out some of the stuff that is available and will work with you. But read the documentation very well though.

Thanks for all your replies guys, I really do appreciate your time.

I have read and Googled and then read some more and Googled some more. Jeeeez ! there is a lot of info out there. Many of the suggested solutions look as though they need more knowledge than I have and I cannot take the chance of messing up what is already running beautifully well.

I really do appreciate that the tools suggested by contributors to this thread are good for the job and I don’t wish to make them feel that I have ignored their suggestions. I have learned a lot by reading as a result of those suggestions. But I am still stuck.

Sooo, I have reviewed my requirements.

The initial requirement was for a temporary block on IPs which were attempting a dictionary/brute force attack.

The second is that it has to be easy to install and maintain.

The third is that it must NOT give me the opportunity of messing up what I already have.

With those three things in mind I did some more Googling. And I came back to Fail2Ban again.

I came across the following page (http://badran-blog.blogspot.com/2008/08/fail2ban-centos.html) which suggests that it is a doddle to install.

Sooo, can anyone point me in the direction of a similar guide for any of those mentioned ?

Alternatively, will following the install on the link above conflict with WM or VM.

Thanks for putting up with me.

Alternatively, will following the install on the link above conflict with WM or VM.

I wouldn’t think so.

you may want to read up on a good tutorial
http://www.linux.org/lessons/advanced/c277.html

Thanks Ronald, that is a very good site, well for me it is anyway.

I have had a fast read through many pages and will return for a more in depth study. It does have a fairly good (by the looks of it) instruction about installing Snort.

In passing, I liked the following :

“The root user is the dictator. What he or she permits, is allowed. What isn’t allowed doesn’t come up for debate. It’s prohibited.”

Sounds a lot like our Government (UK) “What isn’t allowed doesn’t come up for debate”. LOL

Hey Dim Git,

I use Fail2Ban (on Debian Lenny) and it doesn’t conflict with Virtualmin. On Debian it’s ‘apt-get install fail2ban’. The default setup that it does itself should be good enough for you, it’ll block SSH attempts after the 6th wrong password and lock 'em out for ten minutes.

Personally I edited the configuration file to make it email me on each ban (you just need to add your email address, the config file is well commented), and I changed the six attempts to just three, but I’m security mad. :slight_smile: You don’t actually need to change either of those things though.

If something goes wrong, don’t blame me, but I really seriously doubt that anything will go wrong. I installed it originally on a great running system, was a relative newbie at the time and was just as concerned as you about screwing everything up, but it was dead simple.

As always, though, you should make a full backup before installing and/or altering stuff, but then you should always have full recent backups available anyway. If you haven’t one day you will sorely wish that you had. :wink:

I enjoy using psad which reads logs from iptables rules and can catch port scans; and also OSSEC which monitors application logs. Both are capable of identifying and blocking miscreants for a configurable length of time. Their logs can be scanned manually or by script for persistent probers.

Both are easy to configure. As noted, psad requires iptables logs, and those are not easy to configure and monitor and refine.

I’m actually getting the following error when trying to install Fail2Ban on Ubuntu.

The following packages have unmet dependencies:

fail2ban: Depends: python-central (>= 0.6.7) but it is not going to be installed
E: Broken packages

Is this due to webmin/virtualmin or a Ubuntu issue?

I’m actually getting the following error when trying to install Fail2Ban on Ubuntu.

The following packages have unmet dependencies:

fail2ban: Depends: python-central (>= 0.6.7) but it is not going to be installed
E: Broken packages

Is this due to webmin/virtualmin or a Ubuntu issue?

It should be either, really :wink:

On my Ubuntu system (running Virtualmin), fail2ban installs cleanly.

With the above error, I’d guess that something is wrong with either the package you’re installing, or with the Ubuntu mirrors you have setup.

Are you using any third party mirrors? And which Ubuntu version are you using?

If it helps, though, nothing about your Virtualmin setup should be causing that.

-Eric

I solved it by using aptitude rather than apt-get. Apparently Ubuntu default install uses the wrong version of python.

Anything else that you no I should do to get Fail2ban working correctly in Ubuntu?