How can I protect myself from SSH/FTP Brute Force Attacks?

"Brute force" attacks, in which a large number of username/password combinations are checked to log in to server services, are among the most widespread attacks. Especially the services SSH and (S)FTP are often targeted by such attacks.

Mitigation

The /etc/hosts.allow and /etc/hosts.deny files can be used to determine whether an IP address is allowed to connect.

Nine has developed a system that uses this mechanism. If any system on the Internet tries to connect to a managed server with invalid credentials, its IP address is blacklisted on the tenth failed attempt.

Further connections are then initially rejected for 60 minutes. In case of repeated attempts of an IP address, it will be blocked for one week.

This measure is automatically implemented by Nine on managed server environments.

Publicly available hosts.deny

Nine makes publicly available a /etc/hosts.deny that is created from failed authentication attempts on our managed servers.

Thus, all our customers or interested system administrators can also benefit from this mechanism.

Obtain hosts.deny

The following cronjob checks every five minutes if a new version of the hosts.deny is available and downloads the file afterwards. After the file has been downloaded completely, it is copied from /tmp/hosts.deny to /etc/hosts.deny.

*/5 * * * * cd /tmp && wget -N https://hostsdeny.nine.ch/hosts.deny >/dev/null 2>&1 && cp hosts.deny /etc/hosts.deny

The /tmp/hosts.deny file remains and is used to check if the list at https://hostsdeny.nine.ch/hosts.deny reflects a new state when the cronjob is run in the future.

Mitigation​

Publicly available hosts.deny​

Obtain hosts.deny​

Mitigation

Publicly available hosts.deny

Obtain hosts.deny