Does anyone know of a linux tool that can immediately ban an IP address if they try to log in to ssh with specific user names? I see a ton of attempts in my logs for names like fax, mysql, admin, and of course root. Fail2ban only works if the same IP makes repeated attempts but I’m betting if I could generate a list from these failed attempts it would probably correlate with standard blocklists of compromised hosts. For that matter, is there a way to use an RBL to limit addresses that ssh will even accept? Of course none of these attempts have a chance of logging in, but it would still be nice to further limit my exposure for any future attacks.
Sounds like a job for crowdsec. Basically fail2ban on steroids. They already have a ban scenario for attempts to exploit web application CVEs. While the default ssh scenario does not ban specific usernames, I’m pretty sure writing a custom one would be trivial (writing a custom parser+scenario for ghost cvs from no knowledge to fully deployed took me just one afternoon)
Another thing I like about crowdsec is the crowd sourced ban IPs. It’s super nice you can preemptively ban IPs that are port-scanning/probing other people’s servers.
It’s also MIT licensed and uses less ram than fail2ban.
Hmm I keep hearing about it but haven’t looked into it. One thing I have set up between my systems if they share the blocked IPs with each other so every server drops a blocked address at the same time… I assume crowdsec has something similar for local sharing so I don’t have to wait for a blocked IP to be sent to them, added to the database, and sent back to my local machines again?
One way to do this would be set up crowdsec bouncers on each server but only run a single instance of the crowdsec daemon. Send all logs to the daemon and let it communicate with all the bouncers.
Does anyone know of a linux tool that can immediately ban an IP address if they try to log in to ssh with specific user names? I see a ton of attempts in my logs for names like fax, mysql, admin, and of course root. Fail2ban only works if the same IP makes repeated attempts but I’m betting if I could generate a list from these failed attempts it would probably correlate with standard blocklists of compromised hosts. For that matter, is there a way to use an RBL to limit addresses that ssh will even accept? Of course none of these attempts have a chance of logging in, but it would still be nice to further limit my exposure for any future attacks.
Sounds like a job for crowdsec. Basically fail2ban on steroids. They already have a ban scenario for attempts to exploit web application CVEs. While the default ssh scenario does not ban specific usernames, I’m pretty sure writing a custom one would be trivial (writing a custom parser+scenario for ghost cvs from no knowledge to fully deployed took me just one afternoon)
Another thing I like about crowdsec is the crowd sourced ban IPs. It’s super nice you can preemptively ban IPs that are port-scanning/probing other people’s servers.
It’s also MIT licensed and uses less ram than fail2ban.
Hmm I keep hearing about it but haven’t looked into it. One thing I have set up between my systems if they share the blocked IPs with each other so every server drops a blocked address at the same time… I assume crowdsec has something similar for local sharing so I don’t have to wait for a blocked IP to be sent to them, added to the database, and sent back to my local machines again?
One way to do this would be set up crowdsec bouncers on each server but only run a single instance of the crowdsec daemon. Send all logs to the daemon and let it communicate with all the bouncers.
Cool, thanks for the tip!