“Brute force” attacks, in which a large number of username/password combinations are checked to log in to server services, are among the most widespread attacks. Especially the services SSH and (S)FTP are often targeted by such attacks.
/etc/hosts.deny files can be used to determine whether an IP address is allowed to connect.
Nine has developed a system that uses this mechanism. If any system on the Internet tries to connect to a managed server with invalid credentials, its IP address is blacklisted on the tenth failed attempt.
Further connections are then initially rejected for 60 minutes. In case of repeated attempts of an IP address, it will be blocked for one week.
This measure is automatically implemented by Nine on managed server environments.
Publicly available hosts.deny
Nine makes publicly available a
/etc/hosts.deny that is created from failed authentication attempts on our managed servers.
Thus, all our customers or interested system administrators can also benefit from this mechanism.
The following cronjob checks every five minutes if a new version of the
hosts.deny is available and downloads the file afterwards. After the file has been downloaded completely, it is copied from
*/5 * * * * cd /tmp && wget -N https://hostsdeny.nine.ch/hosts.deny >/dev/null 2>&1 && cp hosts.deny /etc/hosts.deny
/tmp/hosts.deny file remains and is used to check if the list at
https://hostsdeny.nine.ch/hosts.deny reflects a new state when the cronjob is run in the future.