[FreeNX-kNX] fail2ban and freenx
Holger Krull
holger.krull at gmx.de
Fri Mar 14 10:06:31 UTC 2008
Verner Kjærsgaard schrieb:
> Fabian Franz skrev:
>>> Please tell me if there is some log file where login failures would be
>>> registered with the real IP and the time of failure. Or if I can
>>> modify something to get that.
>> You can modify nxserver.
>>
>> Search for 404 and add a syslog command or whatever. The IP can be gotten from SSH_CLIENT.
>> echo "NX> 404 [...]"
>> syslog [... params ...] "Failed login for USER $USER. IP=$SSH_CLIENT".
>>
>> Or whatever.
>>
>> As I pointed out in IRC you can also use another public/private key pair, which you deploy to clients to reach your goal of preventing attackers.
>>
>
> I use Denyhosts (see http://denyhosts.sourceforge.net/)
> Then in /etc/hosts.allow I put 127.0.0.1 to make sure that localhost
> doesn't get shut out.
>
> I think (??) this works as I indtend it to. Otherwise, please enlighten
> me :-)
As a sidenote, i use an iptables filter to prevent repeated login tries like this:
(bans a specific ip if more than 3 tries in one minute occours)
iptables -N sshd_bf
iptables -A sshd_bf -j LOG --log-prefix "sshd_brute_force "
iptables -A sshd_bf -j DROP
iptables -I INPUT 3 -p tcp --dport 22 -m state --state NEW -m recent --name SSH --set
iptables -I INPUT 4 -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j sshd_bf
with an additional '-i eth0' in the two match rules you could prevent a local connection from triggering this.
The position in the input queue (3 and 4) may differ with your setup.
More information about the FreeNX-kNX
mailing list