I run several servers, all of which run linux, OpenSSH, and Apache HTTPD. Some run VSftpd as well (legacy requirements). They all are attacked by brute force hacking attempts daily, yes daily. Every day I go through my logs and see the 10’s of thousands of attempted break in attacks. It’s annoying, it tends to make the log files very long to look through. Even my parsed and abstracted log reports are forced into long lists of attacking IP addresses and attempted usernames. Here is an example from just today on ONE server:
Failed SSH logins: 2971
Failed FTP logins: 18,415
Faild SMTP logins: 1656
And this is not a server hosting super popular websites or mirrors. This is just a no name server hosting a couple of websites. In the past I used to contact the owners of the IP addresses these came from, but it became tedious and difficult. They’re often internet providers dynamic IPs of clients, which the ISP tends to not care they are attacking my server (most likely, they are trojaned anyways).
All these attempted attacks do is waste resources. They waste my bandwidth, processing, and storage (the log files).
Just me deciding to put into writing one of my daily annoyances.
I don’t mean to preach to the choir, but there are things you can do about this. In my particular situation I only need to allow SSH/FTP access to a few people and have made an arrangement with them to only allow access from predetermined IP addresses. Iptables drops all other connection attempts without logging. If you can’t do that there is always DenyHosts, the dynamic tcpwrapper script for hosts.deny. I deny all and only allow known hosts, but if you’re open to the world this may be handy. Of course, as minimum line of defense you could move listening services to unused high ports. Obscurity is better than nothing.
I’m lucky in that I can limit connections to known hosts. An attacker won’t even know my system is there with a full port scan. I remember, though, the days when I’d have thousands of attempted connections a day. Don’t miss it a bit.
Very good points, and I’ve looked into a few of them. Unfortunately the IP block won’t work, between users who roam a lot and dynamic IPs, just not feasible for several servers. I’ve actually looked at the DenyHosts and the ssh door knockers (attempt two SSH connections which fail as no ssh server, the third time it connects, if from the same IP), which are promising, but I’ve had some issues with software versions and possibly breaking simple rpm software updates.
It’s always a balancing act, and on some of my servers I’ve implement the things you’ve mentioned, as they help a LOT. Just wish it didn’t have to be so (I know, dreaming again…) 🙂