Brute Force attack - a method of hacking or breaking into a computer system by finding passwords by going through all possible combinations of characters until finding the combination that fits as a password

    Protection with DenyHosts


    # cd /usr/ports/security/denyhosts
    # make install clean

    Edit the file /etc/hosts.allow:

    sshd : /etc/hosts.denied : deny (deny ssh access from hosts in /etc/hosts.denied)  
    sshd : ALL : allow (allow access)  

    In the denyhosts configuration file - /usr/local/etc/denyhosts.conf specify the option:

    HOSTS_DENY = /etc/hosts.denied  

    Explain the line otherwise denyhosts will not start:


    Add to autoload:

    # echo 'denyhosts_enable="YES"' >> /etc/rc.conf

    To avoid that denyhosts will complain during startup about a missing file, create one:

    # touch /etc/hosts.denied

    And then start denyhosts right away :

    # /usr/local/etc/rc.d/denyhosts start

    The configuration is now complete.

    Protecting with inetd



    # yum install inetd


    # apt-get install xinetd

    Inetd parameters:

    • -c maximum

    Defines the maximum number of simultaneous runs of each service; no limit by default.
    Can be overridden individually for each service using the max-child parameter.

    • -C rate

    Specifies, by default, the maximum number of times a service can be invoked from a single
    IP address per minute; not limited by default. Can be overridden for each service
    by the max-connections-per-ip-per-minute parameter.

    • -R rate

    Specifies the maximum number of times a service can be called per minute; by default
    256. A frequency of 0 does not limit the number of calls.

    • -s maximum

    Sets the maximum number of processes simultaneously serving one service for one IP
    address; not limited by default. Can be overridden for each service by the max-child-per-ip parameter.

    Lines in /etc/inetd.conf file have the following format:



    Modify the parameters for the FTP and SSH services as follows:


    # /etc/xinetd.conf


    ftp stream tcp nowait/5/1/2 root /usr/local/sbin/in.proftpd proftpd  
    ssh stream tcp nowait/5/1/2 root /usr/sbin/sshd sshd -i -4  

    Restarting inetd:


    # /etc/init.d/xinetd restart

    Centos 7

    # systemctl restart xinetd

    In this case, 5 clients can access the services at the same time, from one IP address 2 connections are possible at the same time, and from one IP address can not connect more than once per minute.

    Additional protection for ssh

    Add the following option to /etc/sshd_config file:

    MaxAuthTries 1  

    This means that the user is allowed MaxAuthTries + 1 = 2 authorization attempts.
    To allow only one authorization attempt, you must set MaxAuthTries to 0:

    MaxAuthTries 0  

    Additional protection for proftpd

    In file /usr/local/etc/proftpd.conf we add

    MaxLoginAttempts 1  

    Now only 1 login attempt is possible on a connection

    Protect mail (dovecot) with inetd

    To do this, stop dovecot:

    # /usr/local/etc/rc.d/dovecot stop

    Then in the file /etc/rc.conf comment out the dovecot entry:


    And add the following entries in /etc/inetd.conf:

    imap stream tcp nowait/5/1/2 root /usr/libexec/tcpd /usr/local/libexec/dovecot/imap-login  
    imaps stream tcp nowait/5/1/2 root /usr/libexec/tcpd /usr/local/libexec/dovecot/imap-login --ssl  
    pop3 stream tcp nowait/5/1/2 root /usr/libexec/tcpd /usr/local/libexec/dovecot/pop3-login  
    pop3s stream tcp nowait/5/1/2 root /usr/libexec/tcpd /usr/local/libexec/dovecot/pop3-login --ssl  

    Restart inetd


    # /etc/init.d/xinetd restart

    Centos 7

    # systemctl restart xinetd