0

Is there such a script that blocks IPs that try more than 3-4 times to access root? Because everytime I open the server (CentOS) i get the message that root has been brute forced (bots obviously). I have their IPs but I don't want to manually ban them with iptables -A INPUT -s IP-ADDRESS -j DROP.

Schneejäger
  • 105
  • 4
  • 5
    best option : **Disable** root login. Other : `fail2ban` or `DenyHosts` is your friend – Rahul Jul 20 '16 at 09:15
  • 3
    And if you want to go on with banning, something like [fail2ban](http://unix.stackexchange.com/a/171735/44760) should do the trick. – zagrimsan Jul 20 '16 at 09:19
  • Used fail2ban and it worked. – Schneejäger Jul 20 '16 at 10:14
  • or instead of disabling root login entirely, restrict it to authorized_keys only with `PermitRootLogin prohibit-password` in `/etc/ssh/sshd_config`. Alternatively, use `forced-commands-only` and have different keys in `~root/.ssh/authorized_keys` to run different things as root. remote root access without going via a user and sudo can be useful. – cas Jul 21 '16 at 03:12
  • IMO the only time you should use a password for an ssh login is when you're first adding your public key(s) to `~/.ssh/authorized_keys`. – cas Jul 21 '16 at 03:15

1 Answers1

2

The standard tool for the job is fail2ban. It bans for a certain time an IP address that tried to login unsuccessfully, and it is highly configurable.

It is not available on the standard CentOS repositories, you have to install the EPEL repo first.

On CentOS 6:

yum install http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

On CentOS 7:

yum install http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-1.noarch.rpm

and then:

yum install fail2ban

Note: it is highly recommended that you disable root login (this is done in the configuration of sshd).

dr_
  • 28,763
  • 21
  • 89
  • 133