Brute-force password attack protection

General support questions
Post Reply
zsego
Posts: 2
Joined: 2011/10/26 18:18:30

Brute-force password attack protection

Post by zsego » 2011/11/03 20:28:20

Hello there!
I would like to protect my CentOS server against brute-force pasword attack through ssh and serial connections.
Particularly, for ssh, to lockout access on that particular socket for some time, for example, 1 minute, and for
serial connections to force password change. Please help!

User avatar
TrevorH
Forum Moderator
Posts: 29075
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Brute-force password attack protection

Post by TrevorH » 2011/11/03 21:09:52

Disable passwords via ssh altogether and only allow logins using a public/private key pair.

r_hartman
Posts: 706
Joined: 2009/03/23 15:08:11
Location: Netherlands
Contact:

Re: Brute-force password attack protection

Post by r_hartman » 2011/11/04 08:51:30

Welcome to the CentOS fora.
[quote]
zsego wrote:
Particularly, for ssh, to lockout access on that particular socket for some time[/quote]
Have a look at fail2ban
It's in [url=http://repoforge.org/use/]repoforge[/url].
Please consider installing and configuring [url=http://wiki.centos.org/PackageManagement/Yum/Priorities]yum-plugin-priorities[/url] in order to protect your system when using 3rd party repositories.

lightdot
Posts: 43
Joined: 2011/03/29 12:24:35
Location: Out there

Re: Brute-force password attack protection

Post by lightdot » 2011/11/04 10:30:48

Just to note, fail2ban-0.8.4-24 is also in [url=http://fedoraproject.org/wiki/EPEL]Fedora EPEL repository[/url]. I'm mentioning this because EPEL's policy is to never conflict with or replace stock packages in CentOS/SL/RHEL. You still might want to use yum-plugin-priorities just in case, though.

pschaff
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America
Contact:

Brute-force password attack protection

Post by pschaff » 2011/11/04 20:59:20

RPMforge has moved all conflicting packages to [rpmforge-extras] repo - not enabled by default in their repo configuration. The priorities plugin is still a good precaution, as well as being a valuable tool for "tuning" mixed 3rd party repos.

redragon
Posts: 1
Joined: 2011/11/04 23:05:57

Re: Brute-force password attack protection

Post by redragon » 2011/11/04 23:08:04

If you are blocking anything that uses pam I would recommend pam_shield available in the Fedora EPEL repos.

It currently has an open bug for use with selinux but without selinux it works great, easy to configure, and no regex configuration required.

pschaff
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America
Contact:

Re: Brute-force password attack protection

Post by pschaff » 2011/11/07 00:02:48

If already having issues with attacks on a server I would stay away from any [i]solution[/i] that involved disabling SELinux or other security features. Actually, I would avoid it even if [b]not[/b] actively under attack. :-)

slackjack
Posts: 1
Joined: 2011/11/11 09:29:54

Re: Brute-force password attack protection

Post by slackjack » 2011/11/11 09:42:13

Try denyhosts

[url=http://denyhosts.sourceforge.net/]Denyhosts[/url]

grifs71
Posts: 157
Joined: 2007/10/02 05:15:38
Location: Arkansas, United States

Re: Brute-force password attack protection

Post by grifs71 » 2011/11/14 02:52:05

You can use port 22 but change your ipchain to only allow ssh via your network gateway is one simple solution.

Also, you can put in rate-limiting ipchain(s) in your INPUT, this way after x amount of tries they are blocked from 1 minute to anytime you wanted.

I use this and have found it to be extremely useful and secure, of course you can change the port number of ssh as well.

Others mentioned deny host to, lots of options I generally create some ipchain(s) to drop unwanted traffic.

Post Reply

Return to “CentOS 6 - General Support”