Question

Ban Brutte Force Attacks

Posted November 25, 2016 2.8k views
Ubuntu Security Logging

Hi to all, I´m new to Linux and I´m using some servers in Digital Ocean to learn.

I´m suffering continuous login attempts from Chinese IPs and I would like to ban all of them. Or at least ban anyone failing to log for several times in a short period of time.

What is the best way to do this? I readed about fail2ban but I would like to know what do you think before configuring.

Thks for your time.

Add a comment
luis920035
By:
luis920035
Add a comment

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

4 answers
albertogviana November 25, 2016

Hi Luis,

For me, fail2ban is the best option to do this job. There is an article explained how to install and configure on https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-14-04.

Best regards,
Alberto

Reply Report
benrebia November 26, 2016

Hello,

You can ban each IP listed by doing something similar to:

sudo fail2ban-client -vvv set JAIL banip WW.XX.YY.ZZ

Or perhaps UFW:

sudo ufw deny from {ip-address-here} to any

Reply Report
luis920035 November 27, 2016

Thks benrebla,

The problem is that this chinese stuff is quite resilient: they will keep trying different ips… how could I ban a hole country !?

I really don´t understand why Digital Ocean hasn´t some standard solution in place: this is becoming a major issue for lots of people…

Reply Report
Jason2605 November 20, 2017

This seems to be an old question so i apologise in advance, however i assume it will still get viewed.

I have created a tool called PyFilter, which aims to filter out all of the requests that are not legitimate to your server, and blocks them if too many are sent. It works by reading log files and checking if a failed request has came from the same IP address within a user configurable amount of time and adding rules to the firewall if too many attempts have been captured, much like fail2ban.

However PyFilter has the ability of cross server ban syncing. Cross server ban syncing allows IP addresses to be banned across multiple servers if this is enabled. For example if IP address X was banned on server Y, and server Z has ban syncing enabled it will blacklist that IP even if that IP has not met the required failed attempts on that server.

PyFilter site
PyFilter github

Reply Report
  • IRgEEK June 23, 2019

    @Jason2605 I just recently discovered your PyFilter project recently. Deployed and configured for my own DO server and it’s working great! Well Done!

    I hope the project continues to evolve. I would love to be able to set failed attempt thresholds per config block some day, as I’ve noticed attack patterns vary per method (SSH vs Nginx/HTTP for example).

    But even the current version does a great job. Thanks so much for your great contribution!

    Reply Report
    • Jason2605 June 23, 2019

      I’m glad you found the project and find it useful, and want to thank you for the kind words! :)

      Currently development on PyFilter has stagnated somewhat, but I really do appreciate the ideas of what to implement and will hopefully find some time to look into it.

      Reply Report
Submit an Answer

Related

Looking for something else?

Ask a new question Search for more help