Portal Home > Knowledgebase > Articles Database > The Best Firewall and Brute Force Attacks
The Best Firewall and Brute Force Attacks
| Posted by Coroner, 07-10-2007, 02:04 AM |
| What is everybody using?
Is there a "Best"
What do you guys recommend?
I have read about the CSF, is this any good?
Thanks in advance......
Cor
|
| Posted by FirmbIT, 07-10-2007, 02:24 AM |
| You have a couple options for a linux server:
CSF+LSM
or
APF+BFD
If you're running a cPanel server it is preferrable to run CSF+LSM, it also includes a GUI built into WHM.
|
| Posted by x86brandon, 07-10-2007, 02:52 AM |
| One of the best things you can do these days with all these brute force attacks, is change the SSH port.
|
| Posted by SparkSupport, 07-10-2007, 06:07 AM |
| Good point brandon ! Changing SSH port will definitely help to keep script kiddies away. But that wont defend brute force attack because the attacker can do a portscan to find the SSH port.
|
| Posted by serverhelpers, 07-10-2007, 07:16 AM |
| Hello,
There are a few main ways to stop a brute force attack :
1) Restricting the amount of login attempts that a user can perform
2) Banning a users IP after multiple failed login attempts
3) Keep a close eye on your log files for suspicious login attempts
4) Change the default port
5) Disable Password Authentication
6) Limit Connections
7) Disable Root Access
I would prefer Disbling root access and setting up SSH keys for each user.
If you are looking for firewall then APF + BFD is best possible solution.
|
| Posted by GARMTECH, 07-10-2007, 07:22 AM |
| iptables+fail2ban
|
| Posted by Coroner, 07-10-2007, 09:24 AM |
| Thank you all for the replies, will look into all that has been mentioned.
Thanks,
Cor
|
| Posted by whmcsguru, 07-10-2007, 10:33 AM |
| Changing the ssh port is nothing but a pain in the tail end. This doesn't SOLVE anything, and has NOTHING to do with "brute force".
Alternatively, a properly built firewall package WILL do something to somewhat limit Brute Force attacks.
APF in and of itself does not do this, but, as mentioned, APF + BFD will. The only problem there? These go by log files, rather than the number of connections an ip address has to your server at any time.
CSF , however, comes with it's own Brute Force detection setup which DOES handle things properly. Rather than look through the logs, this detection scans the number of connections to the server each ip has, etc, and will handle things based on that. THAT is the proper way to do things.
Keep in mind that a TRUE brute force will never, ever be stopped by a "server" firewall. This must be stopped by the DC with a NETWORK firewall.
|
| Posted by BurakUeda, 07-10-2007, 10:43 AM |
| CSF+LSM hands down.
Even I can understand with no knowledge of linux administration.
My techs are also in love with it
|
| Posted by Coroner, 07-10-2007, 02:53 PM |
| what is LSM?
|
| Posted by jon-f, 07-10-2007, 03:29 PM |
| configserver CSF all the way, has the most features and is just plain awesome. I would pay for it if I had to
|
| Posted by Orien, 07-10-2007, 08:01 PM |
| CSF+LFD will do the job for you. Disabling password authentication in SSH is also a big help.
|
| Posted by Coroner, 07-10-2007, 10:01 PM |
| BUMP
Is LSM the same thing as LFD?
|
| Posted by terisk, 07-10-2007, 10:25 PM |
| Not sure how you actually access your box. But you can use iptables to just allow ssh access from an ip that you use ( statically assigned ) or from an ip range. It'll only allow access to that port from that/those ips, drastically reducing any connection attempts. If they can't connect, they can't brute force then they can't login.
In the off chance that your ip or ip range does change, your hosting provider should have hands and eyes access to the box to login and you can ask them to login with your password so they can quickly add a one line iptables rule to allow you in and you can go from there.
|
| Posted by BurakUeda, 07-10-2007, 11:07 PM |
| Blah!
Sorry I meant CSF+LFD. I was under impression of FirmbIT's post
|
| Posted by layer0, 07-10-2007, 11:14 PM |
| Most automated attacks will simply try to login via port 22, thus you will be able to avoid those. I use a non-default SSH port on all of my servers, and honestly I never see brute force attacks to that port...YMMV. Obviously you want to have protection at the same time, but if you avoid the majority of automated attacks too, why not?
|
Add to Favourites 
Print this Article
Also Read
