Thursday, April 23, 2009

You have SSH, or FTP and want to save bandwidth?

If you have SSH or FTP open on your server (*nix), and are noticing bandwidth drops (probably in the evening if your State side), then check your logs (firewall, /var/log/messages, /var/log/secure, etc.).

In my case, I noticed a whole lot of brute force attempts. Nothing connecting successful, but lots of lots of connections. Sometimes thousands throughout the night.

Enough, I said. I then hit google to figure out what I could do about it. Denyhosts and Fail2Ban to the rescue! Denyhosts checks items in the secure log, and adds them to hosts.deny on the fly (it's scriptable, can be added to cron, and can be configured to send reports to you as well!). I use Denyhosts for SSH connections, I couldn't get it to work for FTP, though.

Here comes Fail2Ban. After some more searching, I found Fail2Ban. You can have Fail2Ban run a a wrapper to check whatever log you want, and look for certain items to then start the ban from. It works alot like Denyhosts - it will then add the "banned" IP addresses to hosts.deny. It can be added to cron as well, and can also send reports to an admin.

http://denyhosts.sourceforge.net/
http://www.fail2ban.org/wiki/index.php/Main_Page

My reports on attacks are a LOT shorter now (after an 'x' amount of failed attempts, they are permabanned), and my bandwidth in the evening is more normal now.

No comments: