From The Hacker News

  • @[email protected]
    link
    fedilink
    English
    151 year ago

    Does anyone know of a linux tool that can immediately ban an IP address if they try to log in to ssh with specific user names? I see a ton of attempts in my logs for names like fax, mysql, admin, and of course root. Fail2ban only works if the same IP makes repeated attempts but I’m betting if I could generate a list from these failed attempts it would probably correlate with standard blocklists of compromised hosts. For that matter, is there a way to use an RBL to limit addresses that ssh will even accept? Of course none of these attempts have a chance of logging in, but it would still be nice to further limit my exposure for any future attacks.

    • StarDreamer
      link
      fedilink
      English
      12
      edit-2
      1 year ago

      Sounds like a job for crowdsec. Basically fail2ban on steroids. They already have a ban scenario for attempts to exploit web application CVEs. While the default ssh scenario does not ban specific usernames, I’m pretty sure writing a custom one would be trivial (writing a custom parser+scenario for ghost cvs from no knowledge to fully deployed took me just one afternoon)

      Another thing I like about crowdsec is the crowd sourced ban IPs. It’s super nice you can preemptively ban IPs that are port-scanning/probing other people’s servers.

      It’s also MIT licensed and uses less ram than fail2ban.

      • @[email protected]
        link
        fedilink
        English
        11 year ago

        Hmm I keep hearing about it but haven’t looked into it. One thing I have set up between my systems if they share the blocked IPs with each other so every server drops a blocked address at the same time… I assume crowdsec has something similar for local sharing so I don’t have to wait for a blocked IP to be sent to them, added to the database, and sent back to my local machines again?

        • StarDreamer
          link
          fedilink
          English
          2
          edit-2
          1 year ago

          One way to do this would be set up crowdsec bouncers on each server but only run a single instance of the crowdsec daemon. Send all logs to the daemon and let it communicate with all the bouncers.