First, you'll need APF to be installed, I'm not going to go in details on how to setup the firewall, but you'll simply need it install so that BFD (brute force detector) can block the IP from trying to "brute force". Installing APF cd ~ wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz tar -xvzf apf-current.tar.gz rm -f apf-current.tar.gz cd apf-* sudo sh install.sh Installing BFD cd ~ wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz tar -xvzf bfd-current.tar.gz rm -f bfd-current.tar.gz cd bfd-* sudo sh install.sh Configuring BFD Use your favorite text editor (I prefer nano) to edit the configuration file, /usr/local/bfd/conf.bfd Find ALERT_USR="0" and replace it with ALERT_USR="1" Find EMAIL_USR="root" and replace it with ALERT_USR="your.email@webserver.com" Save your modifications and exit your editor, start BFD using the line /usr/local/sbin/bfd -s Now, whenever BFD will detect a bruteforce, it will email you at the email set above & BFD will run the command /etc/apf/apf -d the.attackers.ip The emails you will usually recieve look like this: Jul 29 08:22:40 yourhostname sshd[21642]: Invalid user manfred from the.attackers.ip Jul 29 08:22:40 yourhostname sshd[21643]: Invalid user michi from the.attackers.ip Jul 29 08:22:42 yourhostname sshd[21642]: Failed password for invalid user manfred from the.attackers.ip port 48215 ssh2 Jul 29 08:22:42 yourhostname sshd[21643]: Failed password for invalid user michi from the.attackers.ip port 48223 ssh2 Jul 29 08:22:44 yourhostname sshd[21646]: Invalid user michi from the.attackers.ip Jul 29 08:22:47 yourhostname sshd[21646]: Failed password for invalid user michi from the.attackers.ip port 48322 ssh2 Jul 29 08:22:47 yourhostname sshd[21647]: Failed password for postgres from the.attackers.ip port 48329 ssh2 Oh, and one thing I have done after I recieved the attack, I immeditaly changed the default SSH port. Use your favorite text editor (nano again!) to edit /etc/ssh/sshd_config Find #Port 22 And uncomment the line (Remove the #) and replace the 22 by the port you want SSH to use (Max. port number is 49151 so make sure you don't put anything past that. Afterwards, restart SSH. Usually on CentOS it is service sshd restart and in other operating systems, it is /etc/rc.d/init.d/sshd restart After getting attacked, I did a WHOIS on the IP (Run whois the.attackers.ip). You'll usually see one of the emails something like abuse@somedomain.com. Make sure to send them an email including the logs from the email, your server IP and the attackers IP.
why not install denyhost? it’s a python script that analyzes the log messages to determine what hosts are trying to hack into the system. if ever a repeated attacks will be notice, the /etc/hosts.deny file will be then updated.
There are scripts available to monitor your ssh logs and put deny rules in your firewall to block IP's that generate too many ssh login failure attempts. Here are some examples. It would be best to only open up ssh (and other ports) to the networks that need them or you will be accessing them from. Also, if the attacks are out of control and not regular noise passing over you I'd consider submitting an abuse report to the ISP of the offending IP address. -Raymond