Overclock.net › Forums › Software, Programming and Coding › Operating Systems › Linux, Unix › centos VPS monitoring software
New Posts  All Forums:Forum Nav:

centos VPS monitoring software - Page 3

post #21 of 34
Quote:
Originally Posted by Plan9 View Post

To be fair, disabling password authentication like you suggest also mitigates the need for SSH rate limiting as well. But the nice thing about fail2ban is that you can use it for Apache, SMTP and all sorts. It's not just limited to SSH.

That a good list you've posted though. I probably wouldn't have suggested the last two points but there's no harm in them either. (it's a case that theres as many reasons for as there are against). But a nice check list all the same smile.gif

Thanks mate.

PS: Regarding fail2ban, I know you can use it for a lot of other things apart from SSH but perhaps the OP does not, here is a link for any interested parties http://www.fail2ban.org/wiki/index.php/HOWTOs
    
CPUMotherboardGraphicsGraphics
Intel Core i7 860 Asus P7P55D-E Pro MSI GTX560 Ti TwinFrozr II MSI GTX560 Ti TwinFrozr II 
RAMHard DriveHard DriveHard Drive
Corsair 8GB DDR3 OCZ Vertex 3 Western Digital Caviar Black Western Digital Caviar Green 
Hard DriveOptical DriveCoolingOS
Samsung 840 Pro Lite-On 24x DVD-RW CoolerMaster V8 Windows 8.1 Professional 
OSMonitorMonitorMonitor
Debian 7.1 Samsung S22B350H Samsung S22B350H Samsung S22B350H 
KeyboardPowerCaseMouse
Ducky Shine II Corsair HX850 CoolerMaster Storm Enforcer Logitech M500 
Mouse PadAudio
Razer Goliathus Microsoft LifeChat LX 3000 
  hide details  
Reply
    
CPUMotherboardGraphicsGraphics
Intel Core i7 860 Asus P7P55D-E Pro MSI GTX560 Ti TwinFrozr II MSI GTX560 Ti TwinFrozr II 
RAMHard DriveHard DriveHard Drive
Corsair 8GB DDR3 OCZ Vertex 3 Western Digital Caviar Black Western Digital Caviar Green 
Hard DriveOptical DriveCoolingOS
Samsung 840 Pro Lite-On 24x DVD-RW CoolerMaster V8 Windows 8.1 Professional 
OSMonitorMonitorMonitor
Debian 7.1 Samsung S22B350H Samsung S22B350H Samsung S22B350H 
KeyboardPowerCaseMouse
Ducky Shine II Corsair HX850 CoolerMaster Storm Enforcer Logitech M500 
Mouse PadAudio
Razer Goliathus Microsoft LifeChat LX 3000 
  hide details  
Reply
post #22 of 34
Quote:
Originally Posted by Plan9 View Post

Plus if your box is really that high profile that you receive over 10K hits an hour (I sense that's a huge overstatement because I average at around 5 per day per box on my personal systems and they would have the same degree of hits if we're talking purely about blind IP sweeping - such as you are) then you really should be either IP white listing on your firewall or putting your SSH behind VPN.

The firewall was just showing the amount of attempted SSH attempts coming inbound. They were all dropped. As you stated it would ridiculous to have SSH open from the outside. We were previewing a Palo Alto Firewall (if you've heard of that company). I also have the joy of managing linux servers at work, but only as a small part of my job. All of them are behind a pair of full campus firewalls. If we were public or in the cloud I'm sure I'd have set up fail2ban a few hundred more times than I have.
post #23 of 34
Quote:
Originally Posted by herkalurk View Post

The firewall was just showing the amount of attempted SSH attempts coming inbound. They were all dropped. As you stated it would ridiculous to have SSH open from the outside. We were previewing a Palo Alto Firewall (if you've heard of that company). I also have the joy of managing linux servers at work, but only as a small part of my job. All of them are behind a pair of full campus firewalls. If we were public or in the cloud I'm sure I'd have set up fail2ban a few hundred more times than I have.

I know what you mean. Sounds like your set up isn't that dissimilar from my place (except we use Cisco. If I'm honest, I'd not heard of Palo Alto before). I did load denyhosts (if you're not already aware, it's same sort of thing as fail2ban, except it more focused around ssh) on an SFTP box, but even there it's a bit redundant as we have IP whitelisting on the firewall.

fail2ban is more a recommendation for systems that sit on the outside edge of the network (such as VPS's do) than larger infrastructures like yours and mine that will have a rack of hardware firewalls and VPN concentrators. smile.gif
post #24 of 34
Another thing you can do to harden SSH (if you have it open to the internet) is to use Google Authenticator as a secondary challenge response authenticator in addition to your private key

http://www.howtogeek.com/121650/how-to-secure-ssh-with-google-authenticators-two-factor-authentication/
http://code.google.com/p/google-authenticator/wiki/PamModuleInstructions

I nearly fell off my chair when I discovered this one, so cool...

I actually did this on one of my more recent VPS servers, I needed to access it from many locations so IP restrictions were not an option, however a 4096 bit key + Fail2Ban + GoogleAuthenticator = No one's getting in but me :-)
    
CPUMotherboardGraphicsGraphics
Intel Core i7 860 Asus P7P55D-E Pro MSI GTX560 Ti TwinFrozr II MSI GTX560 Ti TwinFrozr II 
RAMHard DriveHard DriveHard Drive
Corsair 8GB DDR3 OCZ Vertex 3 Western Digital Caviar Black Western Digital Caviar Green 
Hard DriveOptical DriveCoolingOS
Samsung 840 Pro Lite-On 24x DVD-RW CoolerMaster V8 Windows 8.1 Professional 
OSMonitorMonitorMonitor
Debian 7.1 Samsung S22B350H Samsung S22B350H Samsung S22B350H 
KeyboardPowerCaseMouse
Ducky Shine II Corsair HX850 CoolerMaster Storm Enforcer Logitech M500 
Mouse PadAudio
Razer Goliathus Microsoft LifeChat LX 3000 
  hide details  
Reply
    
CPUMotherboardGraphicsGraphics
Intel Core i7 860 Asus P7P55D-E Pro MSI GTX560 Ti TwinFrozr II MSI GTX560 Ti TwinFrozr II 
RAMHard DriveHard DriveHard Drive
Corsair 8GB DDR3 OCZ Vertex 3 Western Digital Caviar Black Western Digital Caviar Green 
Hard DriveOptical DriveCoolingOS
Samsung 840 Pro Lite-On 24x DVD-RW CoolerMaster V8 Windows 8.1 Professional 
OSMonitorMonitorMonitor
Debian 7.1 Samsung S22B350H Samsung S22B350H Samsung S22B350H 
KeyboardPowerCaseMouse
Ducky Shine II Corsair HX850 CoolerMaster Storm Enforcer Logitech M500 
Mouse PadAudio
Razer Goliathus Microsoft LifeChat LX 3000 
  hide details  
Reply
post #25 of 34
Quote:
Originally Posted by dushan24 View Post

Another thing you can do to harden SSH (if you have it open to the internet) is to use Google Authenticator as a secondary challenge response authenticator in addition to your private key

http://www.howtogeek.com/121650/how-to-secure-ssh-with-google-authenticators-two-factor-authentication/
http://code.google.com/p/google-authenticator/wiki/PamModuleInstructions

I nearly fell off my chair when I discovered this one, so cool...

I actually did this on one of my more recent VPS servers, I needed to access it from many locations so IP restrictions were not an option, however a 4096 bit key + Fail2Ban + GoogleAuthenticator = No one's getting in but me :-)

Nice find.

A year or two ago I was playing around with running captcha on SSH logins to stop automated attacks. But in then end it proved more annoying having to fill in the captcha every time than any additional security was worth laugher.gif

That captcha worked the same way as your two factor authentication though (in terms of it being a PAM module).
post #26 of 34
Quote:
Originally Posted by Plan9 View Post

Nice find.

A year or two ago I was playing around with running captcha on SSH logins to stop automated attacks. But in then end it proved more annoying having to fill in the captcha every time than any additional security was worth laugher.gif

That captcha worked the same way as your two factor authentication though (in terms of it being a PAM module).

Cool, got a link? I'd like to check it out (how was it implemented, did it print the captcha to the terminal or was it tied to a separate site?)

It can get annoying with Authenticator, but for me security is worth most any price.

And at least it is only 6 numbers :-)

But you can't "trust" an IP like you can with Google services that use Authenticator so it's up to the person to weigh the pros and cons
    
CPUMotherboardGraphicsGraphics
Intel Core i7 860 Asus P7P55D-E Pro MSI GTX560 Ti TwinFrozr II MSI GTX560 Ti TwinFrozr II 
RAMHard DriveHard DriveHard Drive
Corsair 8GB DDR3 OCZ Vertex 3 Western Digital Caviar Black Western Digital Caviar Green 
Hard DriveOptical DriveCoolingOS
Samsung 840 Pro Lite-On 24x DVD-RW CoolerMaster V8 Windows 8.1 Professional 
OSMonitorMonitorMonitor
Debian 7.1 Samsung S22B350H Samsung S22B350H Samsung S22B350H 
KeyboardPowerCaseMouse
Ducky Shine II Corsair HX850 CoolerMaster Storm Enforcer Logitech M500 
Mouse PadAudio
Razer Goliathus Microsoft LifeChat LX 3000 
  hide details  
Reply
    
CPUMotherboardGraphicsGraphics
Intel Core i7 860 Asus P7P55D-E Pro MSI GTX560 Ti TwinFrozr II MSI GTX560 Ti TwinFrozr II 
RAMHard DriveHard DriveHard Drive
Corsair 8GB DDR3 OCZ Vertex 3 Western Digital Caviar Black Western Digital Caviar Green 
Hard DriveOptical DriveCoolingOS
Samsung 840 Pro Lite-On 24x DVD-RW CoolerMaster V8 Windows 8.1 Professional 
OSMonitorMonitorMonitor
Debian 7.1 Samsung S22B350H Samsung S22B350H Samsung S22B350H 
KeyboardPowerCaseMouse
Ducky Shine II Corsair HX850 CoolerMaster Storm Enforcer Logitech M500 
Mouse PadAudio
Razer Goliathus Microsoft LifeChat LX 3000 
  hide details  
Reply
post #27 of 34
Quote:
Originally Posted by dushan24 View Post

Cool, got a link? I'd like to check it out (how was it implemented, did it print the captcha to the terminal or was it tied to a separate site?)
I don't have a link as I just stumbled across it in Arch's AUR. But I'm sure there's a site up if you do Google for it (Btrfs has slowly killed this laptop so it's not even easy for me to fire up another tab to look myself mad.gif )
The captcha was printed to the terminal.
Quote:
Originally Posted by dushan24 View Post

It can get annoying with Authenticator, but for me security is worth most any price.

And at least it is only 6 numbers :-)

But you can't "trust" an IP like you can with Google services that use Authenticator so it's up to the person to weigh the pros and cons
I'm not sure I even trust Google these days, but that's for a whole other thread laugher.gif
post #28 of 34
Quote:
Originally Posted by Plan9 View Post

I'm not sure I even trust Google these days, but that's for a whole other thread laugher.gif

While there's no doubt that you can't really trust Google with your information (though you can trust them more than others).

I think I'm safe using Authenticator, they don't actually have any access to my info, and the server is still secured by a private key initially should a back door be engineered into Authenticator or some other nastiness :-)
    
CPUMotherboardGraphicsGraphics
Intel Core i7 860 Asus P7P55D-E Pro MSI GTX560 Ti TwinFrozr II MSI GTX560 Ti TwinFrozr II 
RAMHard DriveHard DriveHard Drive
Corsair 8GB DDR3 OCZ Vertex 3 Western Digital Caviar Black Western Digital Caviar Green 
Hard DriveOptical DriveCoolingOS
Samsung 840 Pro Lite-On 24x DVD-RW CoolerMaster V8 Windows 8.1 Professional 
OSMonitorMonitorMonitor
Debian 7.1 Samsung S22B350H Samsung S22B350H Samsung S22B350H 
KeyboardPowerCaseMouse
Ducky Shine II Corsair HX850 CoolerMaster Storm Enforcer Logitech M500 
Mouse PadAudio
Razer Goliathus Microsoft LifeChat LX 3000 
  hide details  
Reply
    
CPUMotherboardGraphicsGraphics
Intel Core i7 860 Asus P7P55D-E Pro MSI GTX560 Ti TwinFrozr II MSI GTX560 Ti TwinFrozr II 
RAMHard DriveHard DriveHard Drive
Corsair 8GB DDR3 OCZ Vertex 3 Western Digital Caviar Black Western Digital Caviar Green 
Hard DriveOptical DriveCoolingOS
Samsung 840 Pro Lite-On 24x DVD-RW CoolerMaster V8 Windows 8.1 Professional 
OSMonitorMonitorMonitor
Debian 7.1 Samsung S22B350H Samsung S22B350H Samsung S22B350H 
KeyboardPowerCaseMouse
Ducky Shine II Corsair HX850 CoolerMaster Storm Enforcer Logitech M500 
Mouse PadAudio
Razer Goliathus Microsoft LifeChat LX 3000 
  hide details  
Reply
post #29 of 34
Quote:
Originally Posted by dushan24 View Post

While there's no doubt that you can't really trust Google with your information (though you can trust them more than others).
I actually trust Google less than many others to be honest. Just because of the quantity of personal data they acquire. (not that I think they're more distrustful, just that the data is more valuable so I'm more sensitive about it)

Quote:
Originally Posted by dushan24 View Post

I think I'm safe using Authenticator, they don't actually have any access to my info, and the server is still secured by a private key initially should a back door be engineered into Authenticator or some other nastiness :-)
You're completely right, or course. My comment wasn't about the authenticator though - just an off topic rant about how Google are turning their backs on open standards (basically turning evil).
post #30 of 34
Quote:
Originally Posted by Plan9 View Post

I actually trust Google less than many others to be honest. Just because of the quantity of personal data they acquire.

That's very true, people don't seem to understand that Google's services are not "free"

You pay them with your information.
    
CPUMotherboardGraphicsGraphics
Intel Core i7 860 Asus P7P55D-E Pro MSI GTX560 Ti TwinFrozr II MSI GTX560 Ti TwinFrozr II 
RAMHard DriveHard DriveHard Drive
Corsair 8GB DDR3 OCZ Vertex 3 Western Digital Caviar Black Western Digital Caviar Green 
Hard DriveOptical DriveCoolingOS
Samsung 840 Pro Lite-On 24x DVD-RW CoolerMaster V8 Windows 8.1 Professional 
OSMonitorMonitorMonitor
Debian 7.1 Samsung S22B350H Samsung S22B350H Samsung S22B350H 
KeyboardPowerCaseMouse
Ducky Shine II Corsair HX850 CoolerMaster Storm Enforcer Logitech M500 
Mouse PadAudio
Razer Goliathus Microsoft LifeChat LX 3000 
  hide details  
Reply
    
CPUMotherboardGraphicsGraphics
Intel Core i7 860 Asus P7P55D-E Pro MSI GTX560 Ti TwinFrozr II MSI GTX560 Ti TwinFrozr II 
RAMHard DriveHard DriveHard Drive
Corsair 8GB DDR3 OCZ Vertex 3 Western Digital Caviar Black Western Digital Caviar Green 
Hard DriveOptical DriveCoolingOS
Samsung 840 Pro Lite-On 24x DVD-RW CoolerMaster V8 Windows 8.1 Professional 
OSMonitorMonitorMonitor
Debian 7.1 Samsung S22B350H Samsung S22B350H Samsung S22B350H 
KeyboardPowerCaseMouse
Ducky Shine II Corsair HX850 CoolerMaster Storm Enforcer Logitech M500 
Mouse PadAudio
Razer Goliathus Microsoft LifeChat LX 3000 
  hide details  
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Linux, Unix
Overclock.net › Forums › Software, Programming and Coding › Operating Systems › Linux, Unix › centos VPS monitoring software