Intrusion Prevention Methodologies...

diamondcomputer · December 7, 2005, 7:10am

Good morning all.

I’ve been dealing with a number of brute-force ssh attacks as of late and am looking for the best method of incorporating some automated process for blocking the IPs through the firewall, but want to be sure that it won’t cause problems with the Interworx Panel implementation. I’ve looked at a couple of options, but am looking for recommendations as well.

Thanks and Happy Holidays!

Phil Malmstrom
[SIZE=1]philm@diamondcomputer.com[/SIZE]

system · December 7, 2005, 7:53am

[SIZE=2]I would see what you could have done at the router/switch level. That would prevent load on your box.[/SIZE]
[SIZE=2][/SIZE]
[SIZE=2][/SIZE]
[SIZE=2]Thanks,[/SIZE]
[SIZE=2]Clint[/SIZE]

diamondcomputer · December 7, 2005, 8:12am

Hi Clint, and thanks for the reply.

I am working on the switch level as well, but I still want to have some protection on the server itself. The load on our servers is pretty minimal as we only host domains for our service clients so I have plenty of headroom to play with.

Phil Malmstrom
[SIZE=1]philm@diamondcomputer.com[/SIZE]

system · December 7, 2005, 8:17am

I would suggest something like this:

http://shellscripts.org/index[URL=“http://shellscripts.org/project/sshblock”]

THanks,
Clint

diamondcomputer · December 7, 2005, 8:24am

Hi again Clint.

That’s one of the ones I looked at. I was curious to find out how the APF implementation would be affected by some of these scripts and if it would interfere with anything Interworx is doing. I know APF is just a policy set for iptables, but I’ve run into issues with other hosting panels (Ensim specifically) getting odd results when adding non-supported scripts and wanted to be sure that I wasn’t going to cause myself problems. I’ve also got Snort running for monitoring so I may try to use one of the daemons that interface with that for a more robust option.

Thanks for the input.

Phil Malmstrom
[SIZE=1]philm@diamondcomputer.com[/SIZE]

EverythingWeb · December 7, 2005, 8:27am

Phil,

Why not try BFD which is directly integrated with APF, as its the same writer?

http://www.rfxnetworks.com/bfd.php

Or am I missing something?

system · December 7, 2005, 8:38am

[SIZE=2]I would see no reason not to use BFD, but if you use the other script, I would just leave port 22 open on APF, and let the script do the blocking.[/SIZE]
[SIZE=2][/SIZE]
[SIZE=2][/SIZE]
[SIZE=2]Thanks,[/SIZE]
[SIZE=2]Clint[/SIZE]

diamondcomputer · December 7, 2005, 11:59am

Hi Again.

I installed and configured BFD and all appears to be working well. Thanks to all of you for your helpful suggestions.

Phil Malmstrom
[SIZE=1]philm@diamondcomputer.com[/SIZE]

system · February 9, 2006, 6:24am

bfd

[SIZE=2]I’d like to give bfd a try. How has it been working for you?[/SIZE]

system · February 9, 2006, 6:27am

works great, I have it running on 6-7 servers atm.

it’s funny when you get 5 emails saying it blocked the same ip on 5 different servers

Clint

diamondcomputer · February 9, 2006, 7:02am

Good morning all.

I’m running it on three servers and it’s worked like a champ. Easy install, easy config and it just flat out works as advertised.

Take care.

Phil Malmstrom
philm@diamondcomputer.com