Blocking servers probing for authentication credentials

Sometimes you need to block a server that is repeatedly probing your server, trying to brute-force crack authentication details.

As a quick short-term fix, the easiest way to block them is simply to block them with the firewall:

 iptables -I INPUT -s 1.2.3.4 -j DROP

Using DROP rather than REJECT will give them delays, causing maximum inconvenience.

However, this firewall rule will be lost on reboot and you’ll have to keep checking the log files for other attacks.

For a longer term solution, install fail2ban. This will monitor the log files for failed login attempts on various services and automatically add them to your firewall rules for you.

apt-get install fail2ban

On debian, this is pretty much configured as you want. All you need to do is edit /etc/fail2ban/jail.conf to add your IP addresses to the ignoreip whitelist and enable the services that you want it to keep an eye on (ssh is already enabled).

Add to whitelist:

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1/8 1.2.3.4
bantime  = 6000
maxretry = 3

Enable Postfix:

[postfix]

enabled  = true
port     = smtp,ssmtp
filter   = postfix
logpath  = /var/log/mail.log

It’s a good idea  to also enable it for POP, IMAP and FTP as well.

 

Date: January 9, 2015

Category: Linux Admin Tips

Author: John Taylor

Responses To This Post:

  1. John Taylor says:

    To remove IP addresses from the banned list (when a valid user has tried too many times), you need to run ipchains as root:

    iptables -D _chain_ -s _ip_address_ -j DROP

    Where _ip_address_ should be replaced with the address that is blocked and _chain_ should be replaced with the appropriate chain. e.g. fail2ban-dovecot or fail2ban-postfix or fail2ban-ssh

Respond To This Post: