Ban Brutte Force Attacks

November 25, 2016 2.4k views
Logging Security Ubuntu

Hi to all, I´m new to Linux and I´m using some servers in Digital Ocean to learn.

I´m suffering continuous login attempts from Chinese IPs and I would like to ban all of them. Or at least ban anyone failing to log for several times in a short period of time.

What is the best way to do this? I readed about fail2ban but I would like to know what do you think before configuring.

Thks for your time.

4 Answers

Hi Luis,

For me, fail2ban is the best option to do this job. There is an article explained how to install and configure on https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-14-04.

Best regards,
Alberto

Hello,

You can ban each IP listed by doing something similar to:

sudo fail2ban-client -vvv set JAIL banip WW.XX.YY.ZZ

Or perhaps UFW:

sudo ufw deny from {ip-address-here} to any

Thks benrebla,

The problem is that this chinese stuff is quite resilient: they will keep trying different ips… how could I ban a hole country !?

I really don´t understand why Digital Ocean hasn´t some standard solution in place: this is becoming a major issue for lots of people…

This seems to be an old question so i apologise in advance, however i assume it will still get viewed.

I have created a tool called PyFilter, which aims to filter out all of the requests that are not legitimate to your server, and blocks them if too many are sent. It works by reading log files and checking if a failed request has came from the same IP address within a user configurable amount of time and adding rules to the firewall if too many attempts have been captured, much like fail2ban.

However PyFilter has the ability of cross server ban syncing. Cross server ban syncing allows IP addresses to be banned across multiple servers if this is enabled. For example if IP address X was banned on server Y, and server Z has ban syncing enabled it will blacklist that IP even if that IP has not met the required failed attempts on that server.

PyFilter site
PyFilter github

  • @Jason2605 I just recently discovered your PyFilter project recently. Deployed and configured for my own DO server and it’s working great! Well Done!

    I hope the project continues to evolve. I would love to be able to set failed attempt thresholds per config block some day, as I’ve noticed attack patterns vary per method (SSH vs Nginx/HTTP for example).

    But even the current version does a great job. Thanks so much for your great contribution!

    • I’m glad you found the project and find it useful, and want to thank you for the kind words! :)

      Currently development on PyFilter has stagnated somewhat, but I really do appreciate the ideas of what to implement and will hopefully find some time to look into it.

Have another answer? Share your knowledge.