Thousands of failed root attempts - how to block?

BFD
http://rfxnetworks.com/bfd.php

It works in conjunction with apf firewall but can be modified to work with your /etc/hosts.deny file

 

Even better, check this out:

http://forums.theplanet.com/viewtopic.php?t=15178

 

http://denyhosts.sourceforge.net/

 

An alternate option would be to put sshd on a different port. vi /etc/ssh/sshd_config, change the port near the top, /etc/rc.d/init.d ssh restart and never deal with your logs filling up with garbage from brute force attempts again.

 

That's what I'd recommend too - change SSH to a different port. Do also install APF+BFD for good protection, but most script kiddies pass you by if they don't find SSH on port 22 and don't bother scanning up for a different port - helps save on iptables entries too.

 

I want to do this but would like to check which parts of apf do I add my chosen new port?

IG_TCP_CPORTS ?

EG_TCP_CPORTS ?

TOS_16 ?

or all of the above?

dont wanna lock myself out .... s
Thanks

 

The most important is to add it to IG_TCP_CPORTS and then restart APF.

 

Chirpy is not going to toot his own horn, but he has a GREAT FIREWALL that you can get from hist site. I know this is an OLD post, but for others reading it, go to his site at configserver and see CSF! He has gone over the edge in options and continues to make it better daily. We would also suggest his services

 

I had the same issue, changing SSH port solved the issue. I also added lot of security features described in the list above.

 

From APNIC

from APNIC IP list

ex. KR IP address uKR.txt(Attach Files)
ex. CN IP address uCN.txt(Attach Files)
ex. HK IP address uHK.txt(Attach Files)
ex. TW IP address uTW.txt(Attach Files)

 

I second this

I can configure CSF in a way that I never could with APF.

 

The best thing to do is change the port from 22 to some thing else and also use SSH Keys Do this and your ssh will never get hacked or failed logins also once you have got logged in and understand how to use ssh keys then disable password authentication.

I hope this helps

 

I've changed the SSH port and just doing that helped tremendously. My next step will be to set up the keys, that's a great suggestion.

 

What IP list is this? What do you use it for? Where did you get it?

 

You obviously missed the link (under "APNIC") - that's where he got it from!

 

I was having the same issue when I first brought my server online. I just removed port 22 (SSH) from the open ports list in CSF. Then I placed my ip in the allowed hosts lists. So the only people that can ssh into the server are the people with their ip in the allowed hosts list.

 

That's actually a great, simple solution. Make sure you also allow your data centre to login though, and make sure you have a backup plan to gain access if you get blocked by CSF (unlikely since you're in the allow list).

To make it even more unlikely that you'd get blocked by csf accidentally, it's worth turning on the cool new csf RELAYHOSTS feature - just set it to 1 in the config file. It then won't block IPs belonging to authenticated users - ie your legitimate users. I take credit for suggesting the way this works to Chirpy but couldn't beleive he'd added it in under 24 hours! e By the way, this is an important enhancement as it saves support time - you won't get valid users getting blocked.