Linux

47237 readers

3343 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
No misinformation
No NSFW content
No hate speech, bigotry, etc

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago

MODERATORS

[email protected]

ShellBot Uses Hex IPs to Evade Detection in Attacks on Linux SSH Servers (thehackernews.com)

submitted 11 months ago by [email protected] to c/[email protected]

24 comments fedilink hide all child comments

From The Hacker News

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 13 points 11 months ago* (last edited 11 months ago) (1 children)

Sounds like a job for crowdsec. Basically fail2ban on steroids. They already have a ban scenario for attempts to exploit web application CVEs. While the default ssh scenario does not ban specific usernames, I'm pretty sure writing a custom one would be trivial (writing a custom parser+scenario for ghost cvs from no knowledge to fully deployed took me just one afternoon)

Another thing I like about crowdsec is the crowd sourced ban IPs. It's super nice you can preemptively ban IPs that are port-scanning/probing other people's servers.

It's also MIT licensed and uses less ram than fail2ban.

[–] [email protected] 1 points 11 months ago (1 children)

Hmm I keep hearing about it but haven't looked into it. One thing I have set up between my systems if they share the blocked IPs with each other so every server drops a blocked address at the same time... I assume crowdsec has something similar for local sharing so I don't have to wait for a blocked IP to be sent to them, added to the database, and sent back to my local machines again?

[–] [email protected] 2 points 11 months ago* (last edited 11 months ago) (1 children)

One way to do this would be set up crowdsec bouncers on each server but only run a single instance of the crowdsec daemon. Send all logs to the daemon and let it communicate with all the bouncers.

[–] [email protected] 1 points 11 months ago

Cool, thanks for the tip!