Dealing with brute force on RHEL

Question

Box got slow and decided to vim /var/log/secure and saw a bunch of brute force methods trying to ssh with names starting from A-Z.

iptables was installed so I added the ip via:

iptables -I FORWARD -s [ip] -j DROP
iptables -I INPUT -s [ip] -j DROP

It seemed like it blocked his ip automatically. I did:

iptables -nvL|less

Which showed his IP being supposedly blocked:

Chain INPUT (policy ACCEPT 26G packets, 9985G bytes)
 pkts bytes target     prot opt in     out     source               destination         
   23  1400 DROP       all  --  *      *       [HIS_IP]         0.0.0.0/0           
  26G 9985G PORTSEN    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Is this it? Do I need to use any command to actually save it? like service iptables save? Or is this automatically saved?

As a preventative measure, I'm going to follow a guide and add:

iptables -I INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --rsource
iptables -I INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 180 --hitcount 4 --name DEFAULT --rsource -j DROP

Are these measures enough for the low to medium level attacks? Would appreciate any input.

Only 23 packets? Is the box at normal speed now? Usually those attacks come from dynamic ip addresses, tomorrow he will be back. — ott--, Mar 01 '13 at 20:35
Try denyhosts which check multiple retries in the secure log and block any ip with too many retries in a short time — ghm1014, Mar 01 '13 at 21:35
@ott - there have been no entries/attempts since I applied it. — meder omuraliev, Mar 01 '13 at 22:03

score 3 · Accepted Answer · answered Mar 01 '13 at 20:52

3

You should rather use a tool like fail2ban which automatically responds to brute force attacks and manages the IP bans.

answered Mar 01 '13 at 20:52

mgorven

30,036
7
76
121

So `fail2ban` would be a replacement over `iptables`, right? They can't live together, due to conflicts, etc.. – meder omuraliev Mar 01 '13 at 20:52
@meder No, fail2ban will use iptables to block detected IPs. They can be used together. – mgorven Mar 01 '13 at 20:53
I see. So with my current rules as is, after installing fail2ban, what basic configuration commands should I set, or will it auto-read the iptables and just configure automatically? – meder omuraliev Mar 01 '13 at 20:54
1

@meder Have a look at the [manual](http://www.fail2ban.org/wiki/index.php/MANUAL_0_8). – mgorven Mar 01 '13 at 20:56

score 1 · Answer 2 · answered Mar 01 '13 at 21:39

1

Try with denyhosts, it's in EPEL repository.

DenyHosts is a script intended to be run by Linux system administrators to help thwart SSH server attacks (also known as dictionary based attacks and brute force attacks).

answered Mar 01 '13 at 21:39

ghm1014

944
1
5
14

I suggest you use something that is maintained for you in an official (of sorts) repository instead of self-build stuff. The work needed to keep up with new versions, possible incompatibilities when something else is updated, and so on, just isn't worth it. – vonbrand Mar 02 '13 at 02:24

Dealing with brute force on RHEL

2 Answers2