Being a server admin, it is a vital part of the admin to protect their servers from different types of attacks. The most common one among them is the brute force attack, where the attacker tries to login to the server or email or any password protected area using trial and error method. The most common form of a brute force attack is a dictionary attack. A person who is trying to get access to one of your accounts (web server, ftp, e-mail, ssh, etc.) uses a uses a list of common names and password combination with the help of a automated script.
We need to have a service which detects the login failures and if it detects too much of login failures from a specific IP, it triggers the firewall and the IP gets blocked and there by protect the server and the account.
So the basic step to protect your server against the brute force attack is:
- Use complex passwords – It is your data and your business. Why would you set a password which is quite guessable?
- Use nonstandard ports for services like SSH, FTP etc.
- Install a Brute Force Detection ( BFD ) service.
In order to detect brute force attacks, it is necessary to monitor the access log files for repeated failures. There are a few simple scripts available free on the Internet which will do this job quite well. One of it is CSF from ConfigServer.com and APF+BFD from RFXnetworks.com.
Mind you, both of the above tools depends on the Linux firewall called iptables and if your server doesnt support APF, this tool is not for you.
The basic principle behind these tools is the firewall policy. By default, iptables ACCEPT all connections, which is potentially not good. So, APF and CSF changes taht to DROP and ACCEPT connections only to specific ports. That is the reason why the server stops responding in those servers where CSF or APF is installed, when you run ” iptables -F “.
How to Install CSF
cd /root wget http://www.configserver.com/free/csf.tgz tar -xzf csf.tgz cd csf sh install.sh
If you are on a cPanel server, you need to login to WHM and then scroll down to ” ConfigServer Security and Firewall ” and then you need to enable the service by changing the test mode. You also need to confirm all your ports are enabled. The Configuration is very detailed and CSF have its own BDF called Login Failure Detection ( LFD )
Through the interface, you can add, ignore block and unblock , search IPs and range of IPs. It also can monitor cPanel / WHM/ SSH login and send you alerts so that you can see who all has logged in to the server and from where. It also watches the processes and alerts you if any process has been running for N number of seconds or consuming more than N mb of RAM.
How to Install APF/BFD
cd /root wget http://rfxnetworks.com/downloads/apf-current.tar.gz tar xfz apf-current.tar.gz cd apf-* ./install.sh
By default, APF and CSF is setup to run in development mode which flushes firewall rules every 5 minutes. Running in development mode defeats the purpose of running APF, as it will automatically flush every 5 minutes. Configure the Ingress (inbound) TCP and UDP ports that need to be opened.
Edit the /etc/apf/ad/conf.antidos as you fit necessary, and start the APF firewall.
How to Install BFD
cd /root wget http://rfxnetworks.com/downloads/bfd-current.tar.gz tar xfz bfd-current.tar.gz cd bfd-* ./install.sh
Read the README file, and edit the configuration file located in /usr/local/bfd/conf.bfd. Find ALERT=”0″ and replace it with ALERT=”1″.
and replace it with:
Installing APF, or BFD doesnt mean that the server is secure – It is just an enhancement. You must watch the mails that CSF or APF sends and keep your server under close watch and keep your passwords secure and keep the services running from common ports as much as possible. A secure server always mean peace of mind. Good luck!