Brute Force attack - a method of hacking or breaking into a computer system by finding passwords by going through all possible combinations of characters until finding the combination that fits as a password
Protection with DenyHosts
Installation:
# cd /usr/ports/security/denyhosts
# make install clean
Edit the file /etc/hosts.allow:
sshd : /etc/hosts.denied : deny (deny ssh access from hosts in /etc/hosts.denied)
sshd : ALL : allow (allow access)
In the denyhosts configuration file - /usr/local/etc/denyhosts.conf specify the option:
HOSTS_DENY = /etc/hosts.denied
Explain the line otherwise denyhosts will not start:
BLOCK_SERVICE = ALL
Add to autoload:
# echo 'denyhosts_enable="YES"' >> /etc/rc.conf
To avoid that denyhosts will complain during startup about a missing file, create one:
# touch /etc/hosts.denied
And then start denyhosts right away :
# /usr/local/etc/rc.d/denyhosts start
The configuration is now complete.
Protecting with inetd
Installation:
Centos
# yum install inetd
Debian/Ubuntu
# apt-get install xinetd
Inetd parameters:
- -c maximum
Defines the maximum number of simultaneous runs of each service; no limit by default.
Can be overridden individually for each service using the max-child parameter.
- -C rate
Specifies, by default, the maximum number of times a service can be invoked from a single
IP address per minute; not limited by default. Can be overridden for each service
by the max-connections-per-ip-per-minute parameter.
- -R rate
Specifies the maximum number of times a service can be called per minute; by default
256. A frequency of 0 does not limit the number of calls.
- -s maximum
Sets the maximum number of processes simultaneously serving one service for one IP
address; not limited by default. Can be overridden for each service by the max-child-per-ip parameter.
Lines in /etc/inetd.conf file have the following format:
service-name
socket-type
protocol
{wait|nowait}[/max-child[/max-connections-per-ip-per-minute[/max-child-per-ip]]
user[:group]][/login-class
server-program
server-program-arguments
Implementing
Modify the parameters for the FTP and SSH services as follows:
Centos/Debian/Ubuntu
# /etc/xinetd.conf
Contents:
ftp stream tcp nowait/5/1/2 root /usr/local/sbin/in.proftpd proftpd
ssh stream tcp nowait/5/1/2 root /usr/sbin/sshd sshd -i -4
Restarting inetd:
Debian/Ubuntu
# /etc/init.d/xinetd restart
Centos 7
# systemctl restart xinetd
In this case, 5 clients can access the services at the same time, from one IP address 2 connections are possible at the same time, and from one IP address can not connect more than once per minute.
Additional protection for ssh
Add the following option to /etc/sshd_config file:
MaxAuthTries 1
This means that the user is allowed MaxAuthTries + 1 = 2 authorization attempts.
To allow only one authorization attempt, you must set MaxAuthTries to 0:
MaxAuthTries 0
Additional protection for proftpd
In file /usr/local/etc/proftpd.conf we add
MaxLoginAttempts 1
Now only 1 login attempt is possible on a connection
Protect mail (dovecot) with inetd
To do this, stop dovecot:
# /usr/local/etc/rc.d/dovecot stop
Then in the file /etc/rc.conf comment out the dovecot entry:
#dovecot_enable="YES"
And add the following entries in /etc/inetd.conf:
imap stream tcp nowait/5/1/2 root /usr/libexec/tcpd /usr/local/libexec/dovecot/imap-login
imaps stream tcp nowait/5/1/2 root /usr/libexec/tcpd /usr/local/libexec/dovecot/imap-login --ssl
pop3 stream tcp nowait/5/1/2 root /usr/libexec/tcpd /usr/local/libexec/dovecot/pop3-login
pop3s stream tcp nowait/5/1/2 root /usr/libexec/tcpd /usr/local/libexec/dovecot/pop3-login --ssl
Restart inetd
Debian/Ubuntu
# /etc/init.d/xinetd restart
Centos 7
# systemctl restart xinetd