fail2ban alternative for CentOS 7

[Michael L]

Hello again,

The last I checked, we had 170,000+ failed login attempts; 1 every 10 seconds on our CentOS 7 web server on Digital Ocean.  I tried installing fail2ban, but the install failed;

google search yielded:

"By default, fail2ban works with iptables. However, this has been deprecated in favor of the firewalld" . 

I have a 29 character root password and will lengthen the other sudo passwords.  I hope to be rid of this CentOS 7 system soon, but until then it's best to install an additional roadblock to the brute force login attempts.

I'll take suggestions even though I've googled alternatives to Fail2Ban.

I'm a Linux user for almost 5 years now, but I benefit greatly from NLUG input.

[John R. Dennison]

On Wed, May 03, 2023 at 07:22:28PM -0500, Michael L wrote:
> google search yielded:
> "By default, fail2ban works with iptables. However,

> *this has been deprecated in favor of the firewalld" . *

fail2ban is available in EPEL for EL7:

yum --enablerepo=extras install epel-release
yum --enablerepo=epel install fail2ban-server fail2ban-sendmail fail2ban-systemd

Configure as necessary and then enable and start with:

systemctl enable fail2ban.service
systemctl start fail2ban.service

> I have a 29 character root password and will lengthen the other sudo
> passwords. I hope to be rid of this CentOS 7 system soon, but until then
> it's best to install an additional roadblock to the brute force login
> attempts.

Move sshd to another port; it does nothing to heighten security but it
will reduce log / alert volume by more than a bit.





John

--
In view of the fact that God limited the intelligence of man, it seems
unfair that he did not also limit his stupidity.

-- Konrad Hermann Josef Adenauer (1876-1967), West German Chancellor from
1949-1963, as quoted in Through Russian Eyes: President Kennedy's 1036
Days (1973) by Anatoli-Andreevich Gromyko

[Thomas Bartkus]

John R. Dennison said:

    >> Move sshd to another port; it does nothing to heighten security but it
    >> will reduce log / alert volume by more than a bit. 

Yes.  Moving to an odd port dramatically cuts the number of pwd attacks.

And I would call that increased security.

[John R. Dennison]

On Fri, May 05, 2023 at 10:16:59AM -0700, Thomas Bartkus wrote:
>
> Yes. Moving to an odd port dramatically cuts the number of pwd attacks.
> And I would call that increased security.

Security through obscurity does not work :) This is merely a method to
reduce alert & log volume so one can concentrate on more important
matters. You will find that persistent pests will find the alternate
port and start probing but the automated skiddies will go on to
lower-hanging fruit.





John
--
Engineer (n): Someone who does precision guesswork based upon unreliable
data provided by those of questionable knowledge".

- short-bike - Libera.Chat

[THOMAS BARTKUS]

>> Security through obscurity does not work :)

That's a canard. It would be more accurate to say that it is not enough. And it isn't. But anything that prevents a significant number hack attempts is helpful. So one should strive for obscurity. Just because there are "persistent pests" out there doesn't mean you should make it easier for them.

> --
> --
> You received this message because you are subscribed to the Google Groups "NLUG" group.
> To post to this group, send email to nlug...@googlegroups.com
> To unsubscribe from this group, send email to nlug-talk+...@googlegroups.com
> For more options, visit this group at http://groups.google.com/group/nlug-talk?hl=en
>
> ---
> You received this message because you are subscribed to a topic in the Google Groups "NLUG" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/nlug-talk/Ad0OLivuvJw/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to nlug-talk+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/nlug-talk/20230505204452.GD24663%40elros.gerdesas.com.

[Kent Perrier]

On Fri, May 5, 2023 at 12:17 PM Thomas Bartkus <thomas...@comcast.net> wrote:

John R. Dennison said:

    >> Move sshd to another port; it does nothing to heighten security but it
    >> will reduce log / alert volume by more than a bit. 

Yes.  Moving to an odd port dramatically cuts the number of pwd attacks.

And I would call that increased security.

Moving to 2FA would be the better move.

[John R. Dennison]

On Fri, May 05, 2023 at 05:00:14PM -0500, THOMAS BARTKUS wrote:
>
> That's a canard. It would be more accurate to say that it is not
> enough. And it isn't. But anything that prevents a significant number
> hack attempts is helpful. So one should strive for obscurity. Just
> because there are "persistent pests" out there doesn't mean you should
> make it easier for them.

After playing the game for 40+ years I stand by my statement.





John

--
He may be mad, but there's method in his madness. There nearly always is
method in madness. It's what drives men mad, being methodical.

-- G. K. Chesterton, The Fad of the Fisherman (1922)

[Vincent Brown]

I hear good things about  CrowdSec - The open-source & collaborative IPS. It's like fail2ban but the users share attacker's IP addresses with each other so if a hacker tries to break into another user before coming to your IP, they won't even be able to connect to you to try attacking you.

Also, consider https://almalinux.org/ as a Centos replacement.