Brute Force attack - a method of hacking or breaking into a computer system by finding passwords by going through all possible combinations of characters until finding the combination that fits as a password

Protection with DenyHosts


# cd /usr/ports/security/denyhosts
# make install clean

Edit the file /etc/hosts.allow:

sshd : /etc/hosts.denied : deny (deny ssh access from hosts in /etc/hosts.denied)  

sshd : ALL : allow (allow access)  

In the denyhosts configuration file - /usr/local/etc/denyhosts.conf specify the option:

HOSTS_DENY = /etc/hosts.denied  

Explain the line otherwise denyhosts will not start:


Add to autoload:

# echo 'denyhosts_enable="YES"' >> /etc/rc.conf

To avoid that denyhosts will complain during startup about a missing file, create one:

# touch /etc/hosts.denied

And then start denyhosts right away :

# /usr/local/etc/rc.d/denyhosts start

The configuration is now complete.

Protecting with inetd



# yum install inetd


# apt-get install xinetd

Inetd parameters:

  • -c maximum

Defines the maximum number of simultaneous runs of each service; no limit by default.
Can be overridden individually for each service using the max-child parameter.

  • -C rate

Specifies, by default, the maximum number of times a service can be invoked from a single
IP address per minute; not limited by default. Can be overridden for each service
by the max-connections-per-ip-per-minute parameter.

  • -R rate

Specifies the maximum number of times a service can be called per minute; by default
256. A frequency of 0 does not limit the number of calls.

  • -s maximum

Sets the maximum number of processes simultaneously serving one service for one IP
address; not limited by default. Can be overridden for each service by the max-child-per-ip parameter.

Lines in /etc/inetd.conf file have the following format:



Modify the parameters for the FTP and SSH services as follows:


# /etc/xinetd.conf


ftp stream tcp nowait/5/1/2 root /usr/local/sbin/in.proftpd proftpd  
ssh stream tcp nowait/5/1/2 root /usr/sbin/sshd sshd -i -4  

Restarting inetd:


# /etc/init.d/xinetd restart

Centos 7

# systemctl restart xinetd

In this case, 5 clients can access the services at the same time, from one IP address 2 connections are possible at the same time, and from one IP address can not connect more than once per minute.

Additional protection for ssh

Add the following option to /etc/sshd_config file:

MaxAuthTries 1  

This means that the user is allowed MaxAuthTries + 1 = 2 authorization attempts.
To allow only one authorization attempt, you must set MaxAuthTries to 0:

MaxAuthTries 0  

Additional protection for proftpd

In file /usr/local/etc/proftpd.conf we add

MaxLoginAttempts 1  

Now only 1 login attempt is possible on a connection

Protect mail (dovecot) with inetd

To do this, stop dovecot:

# /usr/local/etc/rc.d/dovecot stop

Then in the file /etc/rc.conf comment out the dovecot entry:


And add the following entries in /etc/inetd.conf:

imap stream tcp nowait/5/1/2 root /usr/libexec/tcpd /usr/local/libexec/dovecot/imap-login  
imaps stream tcp nowait/5/1/2 root /usr/libexec/tcpd /usr/local/libexec/dovecot/imap-login --ssl  
pop3 stream tcp nowait/5/1/2 root /usr/libexec/tcpd /usr/local/libexec/dovecot/pop3-login  
pop3s stream tcp nowait/5/1/2 root /usr/libexec/tcpd /usr/local/libexec/dovecot/pop3-login --ssl  

Restart inetd


# /etc/init.d/xinetd restart

Centos 7

# systemctl restart xinetd
Updated Aug. 1, 2018