I brought up a ClearOS 6.3 server, and was hacked within 72 hours this March. Did it again with ClearOS 6.5 just this week, and I was appalled at the number of professional (and not!) organizations actively trying to break into my machine. Time to let go of the 70's and 80's and deal with the thugs ruining the modern internet
One of my machine hardening exercises was the installation of DenyHosts, an open Source log-based intrusion prevention script. It works by banning IP addresses after a set number of failed login attempts.
Turns out it's easy to install under ClearOS 6.5:
1) Install DenyHosts
yum --enablerepo=clearos-epel install denyhosts
2) Whitelist your local IP addresses
Vi /etc/hosts.allow
3) Configure DenyHosts (if you need to, it comes useable out of the "box")
Vi /etc/denyhosts.conf
4) Enable DenyHosts
/etc/init.d/denyhosts restart
Review the /etc/hosts.deny file after it's running, to verify which hosts are on the “bad” list, especially notice if any of your IPs are there. Fix /etc/hosts.allow if there are.
5) Happy? Working well? Restart DenyHosts when you reboot:
chkconfig denyhosts on
-David
One of my machine hardening exercises was the installation of DenyHosts, an open Source log-based intrusion prevention script. It works by banning IP addresses after a set number of failed login attempts.
Turns out it's easy to install under ClearOS 6.5:
1) Install DenyHosts
yum --enablerepo=clearos-epel install denyhosts
2) Whitelist your local IP addresses
Vi /etc/hosts.allow
3) Configure DenyHosts (if you need to, it comes useable out of the "box")
Vi /etc/denyhosts.conf
4) Enable DenyHosts
/etc/init.d/denyhosts restart
Review the /etc/hosts.deny file after it's running, to verify which hosts are on the “bad” list, especially notice if any of your IPs are there. Fix /etc/hosts.allow if there are.
5) Happy? Working well? Restart DenyHosts when you reboot:
chkconfig denyhosts on
-David
Share this post:
Responses (3)
-
Accepted Answer
This is a new one for me. The program mainly mentioned here is fail2ban which looks like it can cover the same sort of functionality.
You may also want to search this forum for ipset. There is a script which makes use of block lists from Emerging Threats. For me it picks up quite a lot of port 22 activity especially from one Chinese bot subnet and a fair amount from a Russian bot. -
Accepted Answer
Hi, Thanks for your post
I'm assuming you have opened up external access to SSH which is not a great thing to do...one of the simplest things to get your server off the bot scans is to move to a different default port... (see /etc/ssh/sshd_config)
Then instead of giving the world access just open up the port for specific source IPs only... (add to /etc/clearos/firewall.d/custom)
iptables -I INCOMING -I eth0 -s w.x.y.z -p tcp --dport 22 -j ACCEPT
Then run 'service firewall restart'
Another alternative is to do the following ( in no particular order):- disable root logins, disable password authentication (use key based login), fail2ban -
Accepted Answer
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »