PDA

View Full Version : Brute Force Attacks



moonshield
02-07-2005, 01:42 PM
I set up my firewall to block brute force password attacks, It is disturbing how many attacks one gets. Anyone else see this?

Westech
02-07-2005, 04:31 PM
Yeah, I get these every day. I think pretty much any server that has open ports that can be detected with a port scan will have this happen. I use BFD (an add-on for APF firewall) to block any IPs that attempt brute force attacks: http://www.webhostgear.com/60.html

I've reported a couple of the IPs to datacenter abuse teams if they come from datacenters that I think will actually take action.

moonshield
02-07-2005, 04:49 PM
yea, BFD is a great tool, I use it myself.

ramprage
03-22-2005, 04:29 PM
BFD and APF are excellent together if you own a web server. I've been using them on many servers with no complaints!

If you mean brute force logins to scripts you might want to make a custom IP blocking tool.

moonshield
03-24-2005, 08:11 AM
nope, I don't get that just stupid people trying to SSH in. Mostly from the Pacific Ocean, does anyone just ban them all?

ramprage
03-24-2005, 08:15 AM
Banning an IP block can stop users from seeing your entire server instead of just the attacker. Most of the time an attack will be sent from a zombie server or computer.

Whenever someone tries to login to often with failed attempts I ban their IP. It's a good idea to clear out the banned IPs after a day or two to prevent legitimate users being locked out.

You should setup Logwatch, which notifies you of failed login attempts.

moonshield
03-24-2005, 10:17 AM
I know, but they mostly are in the subnet of Asia. When I trace them they are from Korea 70%. Like you said it probably is just a zombie server. I do think that most attackers are from asia though.

Joachim
03-25-2005, 08:03 AM
Well, I on the other hand don't clean up the IP list.
99% is from Asia sadly enough.

Aside from the fact that it's easy to workaround If there
was a performant and easy solution to blocking Asia I would.