Hello. In the last few days I have received several attack attempts through ssh, the system will not let them in but they keep trying and trying to the point they manage to take down the server, I have blocked more than 20000 IPs but then they start from a new IP, at this moment I cannot afford a proper dedicated firewall, so I was wondering if I could just block port 22 for all when not in use, obviously this could let me out completely in case interworx fails or whatever, I know it is not the cleanest solution but I am desperate right now since the server is taken down every 4 to six hours and I need to sleep :o.
So my question is: Can I block port 22 without any issues apart from let myself out?
Does iworx use this port?
Does anyone have any suggestion towards a cleaner solution to this problem?
I leave SSH on port 22 and just firewall off the port. I then whitelist the few static IPs I normally connect from to manage the server. If I ever need to get it from a different location I could log in NodeWorx and add that IP or unblock it.
Got tired of having 10 MB of text emails in my daily logwatch with hack attempts :rolleyes:
Uhhhm, thanks Paul, that would mean a temporary solution till they start atacking all ports, but I like it, at least I?ll get some time to think what else could I do. I?ve been thinking while reviewing the logs, it does not matter very much really blocking port 22, though this is the most attacked port, it is not the only one, I guess I am going to need that firewall
Sorry Justec, I was posting at the same time, that?s a nice solution, I thought about it, the problem is my ISP does not like me and will not assign a static IP though I was planning to whitelist the whole IP range, but I do not think so, it?s like playing the lottery.
Thanks for the tip. BFD looks like the best solution, I found it here in case someone is interested. It would be a nice feature for interworx. This forum thread discusses several brute force detection systems.
86.203.255.84:quizz
etc… 25 mores
83.114.165.165:quizz
etc… 40 mores
In fact BFD use his own LOG reader (pgm TLOG) to read only the last lines in /var/log/maillog (or whatever other log files) which have not already been read. This improve performance of course.
So BFD will receive IP:user and if there is more than n times the same IP adress then will do a apf -b IP comment
BE CARREFUL !!!
I give this just as a pist to explore, and as the begin of a what i could be rule
I DIDN’T TEST IT so much. It works for me on my box, but it doesn’t mean it will work on yours (lol don’t see why it should not but…)
It was only to show here that we may create others rules in BFD that might be more INTERWORX relevant