Brute Force Secure?

Does Interworx have any brute force protection at all?

// Bit of a random question but it is something I have had to deal with recently. Just interested really.

Interworx doesn’t have a BFD but you can Install it very easy and it works with your Interworx Firewall.

Here is a simple HowTo for BFD.

HowTO:

Install BFD (Brute Force Detection)
Login in SHH as root.

cd /root/downloads

wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz

tar -xvzf bfd-current.tar.gz

cd bfd-0.9

./install.sh

After installing BFD change next:

nano /usr/local/bfd/conf.bfd

Scroll down:
ALERT_USR=“0”
Change to:
ALERT_USR=“1”

Search for:
EMAIL_USR=“root”
Change to:
EMAIL_USR=“your@email.nl”

Save file :
ctrl+x “yes” [ENTER]

Start BFD:

/usr/local/sbin/bfd -s

Wow! Terrific!! Thanks for that done in about 3 seconds… :stuck_out_tongue:

Disclaimer: I’m not familiar the package mentioned above.

The problem with brute force detection is that it creates the possibility of a denial of service account. If you are worried about SSH logins, use keys only.

http://secom.linemanhosting.com/cms.php/page.article/number.5/

BFD is from the same company as the Firewall that is included in Interworx http://www.rfxnetworks.com and so it is comunicating with APF. When BFD found problems with some IP’s it will put them in the deny list of APF…so a perfect combination to start protecting your server.

That it would create DDOS accounts is totaly new for me and I realy can’t make a link to what you said. When you say that this is not the only way to protect your server then you are right, there are many ways to do but like I said before this is a very good way to make a start.

If you have any sugestions for protection then please post it here in the forum.
Positive input is always welcome

[QUOTE=rone;10160]BFD is from the same company as the Firewall that is included in Interworx http://www.rfxnetworks.com and so it is comunicating with APF. When BFD found problems with some IP’s it will put them in the deny list of APF…so a perfect combination to start protecting your server.

That it would create DDOS accounts is totaly new for me and I realy can’t make a link to what you said. When you say that this is not the only way to protect your server then you are right, there are many ways to do but like I said before this is a very good way to make a start.

If you have any sugestions for protection then please post it here in the forum.
Positive input is always welcome[/QUOTE]

It wouldn’t DDoS, just DOS :slight_smile:

Here is the DoS scenario for you:

  1. Joe Bob loggs in to server via SSH
  2. Bobby Joe does 100 fake logins for Job Bob
  3. Some system locks Bobby Joe out (either at the IP level, Job Bob’s account level, etc…)
  4. If its at the account level, Job Bob can no longer log in.

All that said, (and while I still haven’t looked at BFD much), it sounds as if this couldn’t (reasonably) happen.

Wow immediate results:

The remote system xxx.xxx.xxx.xxx was found to have exceeded acceptable login failures on my.server.com; there was 403 events to the service sshd. As such the attacking host has been banned from further accessing this system. For the integrity of your host you should investigate this event as soon as possible.

Oct 12 23:17:41 angel sshd[3873]: Invalid user warezz from xxx.xxx.xxx.xxx
Oct 12 23:17:41 angel sshd[3875]: Invalid user tini from xxx.xxx.xxx.xxx
Oct 12 23:17:42 angel sshd[3877]: Invalid user warez from xxx.xxx.xxx.xxx
Oct 12 23:17:44 angel sshd[3873]: Failed password for invalid user warezz from xxx.xxx.xxx.xxx port 53501 ssh2
Oct 12 23:17:44 angel sshd[3875]: Failed password for invalid user tini from xxx.xxx.xxx.xxx port 53552 ssh2
Oct 12 23:17:44 angel sshd[3877]: Failed password for invalid user warez from xxx.xxx.xxx.xxx port 53564 ssh2

The attacker was from the Ukraine.

BFD does work – however, personally I found that to eliminate all the overhead that goes with people slumming against port 22 (account verifications, etc). and then subsequently BFD having to process against the attacks, it was much better for me to disable access to Port 22 at the APF level and add my (and any other necessary IPs) to the “Trusted IPs” list in APF.

I guess it’s just the opposite way to solve the same problem. Instead of banning each attempt at 22 access one-by-one, I block them all and create exceptions for the one(s) I want.

JB

Sounds completely sensible to me. :slight_smile: