[SoCoSA/discuss] blocking brute force attacks

Kevan Benson kbenson at a-1networks.com
Thu Nov 29 11:50:22 PST 2007 

Sean wrote:
> I'm new to this group, and I'm hoping to meet other members at the next meeting.
> 
> I'm still feeling my way a bit regarding the finer points of linux
> security (Debian Etch in my case), and I'm hoping that some of you can
> point me in a good direction on this.
> 
> My public IP servers periodically get attacked via brute force login
> attempts (FTP and SSH). I've attempted to solve this in the past using
> hosts.deny, but it ended up causing too many unwanted positives and
> was somewhat difficult to unblock an IP. Would you mind sharing with
> me what you've found to be effective? It's obviously hard to
> impossible to block non-us IPs from connecting via ftp or ssh, as I
> couldn't find anything on this other than what turned into a two-way
> flame war.
> 
> If any of you have suggestions, or links I can read, I'd appreciate
> it. If you think hosts.deny would be a good option, I can always
> re-visit it and take another look at the configuration options.

Assuming what I think would be the worst case scenario, which is...

1) You have to allow SSH and/or FTP access to outside individuals and 
have little or no control over the passwords they choose (i.e. they can 
reset them after you initially set them)
2) You can't control where the outside users are connecting from, and 
you can't impose restrictions like a VPN (OpenVPN would be a good simple 
solution here).
3) The users need unfettered access to system utilities and files.

...then you are in a really bad spot.  I would personally treat this 
system as always potentially compromised, and take steps to make sure 
nothing confidential integral to your business is housed on or depends 
on that system.  Maybe even mount any data that you need from another 
system through SSH or SMB if that allows for easier segregation 
(otherwise it's just another possible breach vector for someone who gets

If you can control #1, things aren't that bad.  Just institute a 
password policy that requires all passwords be very good and have to be 
set through you.

If you can control #2, see many of the other replies you've got, but 
long story short, just allow specific addresses to even access FTP and SSH.

If #3 isn't a requirement, use the chroot ssh patch/dist 
(http://chrootssh.sourceforge.net/) and a chrooting FTP server such as 
vsftp.  Usefully, they both chroot in the same manner (through an extra 
"/."" in the $HOME defined in /etc/passwd).  Chrooting SSH is a bit 
harder than vsftp (it's a real chroot), but there's plenty of howto's 
available online.

-- 

-Kevan Benson
-A-1 Networks

More information about the discuss mailing list