Brute Force attack - a method of hacking or breaking into a computer system by finding passwords by going through all possible combinations of characters until finding the combination that fits as a password

    Protection with DenyHosts

    Installation:

    # cd /usr/ports/security/denyhosts
    # make install clean
    

    Edit the file /etc/hosts.allow:

    sshd : /etc/hosts.denied : deny (deny ssh access from hosts in /etc/hosts.denied)  
    
    sshd : ALL : allow (allow access)  
    

    In the denyhosts configuration file - /usr/local/etc/denyhosts.conf specify the option:

    HOSTS_DENY = /etc/hosts.denied  
    

    Explain the line otherwise denyhosts will not start:

    BLOCK_SERVICE = ALL  
    

    Add to autoload:

    # echo 'denyhosts_enable="YES"' >> /etc/rc.conf
    

    To avoid that denyhosts will complain during startup about a missing file, create one:

    # touch /etc/hosts.denied
    

    And then start denyhosts right away :

    # /usr/local/etc/rc.d/denyhosts start
    

    The configuration is now complete.

    Protecting with inetd

    Installation:

    Centos

    # yum install inetd
    

    Debian/Ubuntu

    # apt-get install xinetd
    

    Inetd parameters:

    • -c maximum

    Defines the maximum number of simultaneous runs of each service; no limit by default.
    Can be overridden individually for each service using the max-child parameter.

    • -C rate

    Specifies, by default, the maximum number of times a service can be invoked from a single
    IP address per minute; not limited by default. Can be overridden for each service
    by the max-connections-per-ip-per-minute parameter.

    • -R rate

    Specifies the maximum number of times a service can be called per minute; by default
    256. A frequency of 0 does not limit the number of calls.

    • -s maximum

    Sets the maximum number of processes simultaneously serving one service for one IP
    address; not limited by default. Can be overridden for each service by the max-child-per-ip parameter.

    Lines in /etc/inetd.conf file have the following format:

    service-name  
    socket-type  
    protocol  
    {wait|nowait}[/max-child[/max-connections-per-ip-per-minute[/max-child-per-ip]]
    user[:group]][/login-class  
    server-program  
    server-program-arguments  
    

    Implementing

    Modify the parameters for the FTP and SSH services as follows:

    Centos/Debian/Ubuntu

    # /etc/xinetd.conf
    

    Contents:

    ftp stream tcp nowait/5/1/2 root /usr/local/sbin/in.proftpd proftpd  
    ssh stream tcp nowait/5/1/2 root /usr/sbin/sshd sshd -i -4  
    

    Restarting inetd:

    Debian/Ubuntu

    # /etc/init.d/xinetd restart
    

    Centos 7

    # systemctl restart xinetd
    

    In this case, 5 clients can access the services at the same time, from one IP address 2 connections are possible at the same time, and from one IP address can not connect more than once per minute.

    Additional protection for ssh

    Add the following option to /etc/sshd_config file:

    MaxAuthTries 1  
    

    This means that the user is allowed MaxAuthTries + 1 = 2 authorization attempts.
    To allow only one authorization attempt, you must set MaxAuthTries to 0:

    MaxAuthTries 0  
    

    Additional protection for proftpd

    In file /usr/local/etc/proftpd.conf we add

    MaxLoginAttempts 1  
    

    Now only 1 login attempt is possible on a connection

    Protect mail (dovecot) with inetd

    To do this, stop dovecot:

    # /usr/local/etc/rc.d/dovecot stop
    

    Then in the file /etc/rc.conf comment out the dovecot entry:

    #dovecot_enable="YES"
    

    And add the following entries in /etc/inetd.conf:

    imap stream tcp nowait/5/1/2 root /usr/libexec/tcpd /usr/local/libexec/dovecot/imap-login  
    imaps stream tcp nowait/5/1/2 root /usr/libexec/tcpd /usr/local/libexec/dovecot/imap-login --ssl  
    pop3 stream tcp nowait/5/1/2 root /usr/libexec/tcpd /usr/local/libexec/dovecot/pop3-login  
    pop3s stream tcp nowait/5/1/2 root /usr/libexec/tcpd /usr/local/libexec/dovecot/pop3-login --ssl  
    

    Restart inetd

    Debian/Ubuntu

    # /etc/init.d/xinetd restart
    

    Centos 7

    # systemctl restart xinetd