Wednesday, June 15, 2011

Block brute force attacks using denyhost


Issue:
Check your /var/log/auth.log file. In this file you can able to see that some unauthorized user is constantly trying to access your system using brute force attacks. He/she trying to get the access of your system by some scripts which is trying to login with different password. We can block this using simple iptables rule.
Step 1 : Install Denyhost tools in your system.
apt-get install denyhost
Step 2 : Configure /etc/denyhost.conf file based on your requirement
* configure this file to anylize the log file
SECURE_LOG = /var/log/auth.log(default)
DENY_THRESHOLD_INVALID = 3 (will  block each host after the number of failed login)
DENY_THRESHOLD_VALID = 5  (will  block each host after the number of failed login for valid user login attempts)
DENY_THRESHOLD_ROOT = 3 (for root login)
Step 3 : Restat denyhost
#/etc/init.d/denyhost restart