Hi Oliver,
To have IPS you need IDS. As part of the detection rule in IDS there can be a "block" rule which may be triggered after a certain number of attempts and the block period will vary. If 7.1 is still using the community rules you won't have gained much as the rules are very old. Really you'll want an updated rule set, either by subscription from ClearOS or perhaps free from someone like EmergingThreats, but bear in mind the free rules lag their paying rules and you'll have to manage the update yourself. There is a script in the forum which covers it.

I strongly suggest you avoid opening ssh to the internet. If you need it, connect by VPN then use ssh as if you were connected to the LAN. There are too many bots out there hammering away at port 22 and they are not easy to block using IDS/IPS or even fail2ban. There are a couple of Chinese ones which probe from a whole subnet rarely using an IP address more than once in a day. Not easy for a rule based system to spot. EmergingThreats have lists of compromised or hostile IP's but because the lists are so big they don't really suit iptables and, even less, IPS. They are better parsed for their IP's which are then put into an ipset rule. Again search the site for ipset and you'll find an OTT script.

Also investigate using fail2ban which monitors your logs for various events (login failures and so on) and puts in firewall blocks. I use it to block web site probing and e-mail naughties. I don't use it for ssh as I don't have ssh open to the public, but it was originally designed for ssh then extended.
Nick

Hi,

I disabled ssh.
I looked into EmergingThreats web page. the list of files containing various rules is large. too large for me.

so, for the moment, if IDS community rules is too old, I will uninstall it, and bet on the firewall, good password.

thanks for your feedback.

Olivier

At least install fail2ban and enable the jails for the services you are exposing to the internet.

Just a quickie!

I see you mention fail2ban, has anyone had issues installing it ?

I enabled the EPEL repo as it only seems to be available from that one but when I install it resolves dependencies and installs:
=========================================================================================================================
Package Arch Version Repository Size
=========================================================================================================================
Removing:
systemd-python x86_64 219-19.el7 @clearos-centos 184 k
Downgrading:
dracut x86_64 033-241.el7_1.5 clearos 301 k
dracut-config-rescue x86_64 033-241.el7_1.5 clearos 45 k
dracut-network x86_64 033-241.el7_1.5 clearos 82 k
initscripts x86_64 9.49.24-1.v7 clearos 428 k
kmod x86_64 14-10.el7 clearos 78 k
systemd x86_64 208-20.el7_1.6 clearos 2.6 M
systemd-libs x86_64 208-20.el7_1.6 clearos 162 k
systemd-sysv x86_64 208-20.el7_1.6 clearos 44 k

After a reboot it seems to break webconfig's connection to LDAP even though LDAP works fine through Samba. Webconfig->Accounts Manager constantly says Accounts System Is Offline.

If I "yum history undo XX" (the previous as per above) it all springs to life again.

P.S. I could only ever get it to break after a reboot which led me to believe it could be initscripts, but thats really a guess - I've no idea where to go without trawling through webconfig code to see where its pulling its status from.


I may just go with your OpenVPN suggestion, which would be a nice thing to have - shame no portable version, you have to install on Windows for TAP :-(

You should not have had to enable EPEL as fail2ban is already available in clearos-epel which is enabled by default:

[root@clearos7vm ~]# yum install fail2ban

Loaded plugins: clearcenter-marketplace, fastestmirror

ClearCenter Marketplace: fetching repositories...

clearos                                                  | 3.6 kB     00:00

clearos-centos                                           | 3.6 kB     00:00

clearos-centos-updates                                   | 3.4 kB     00:00

clearos-contribs                                         | 3.0 kB     00:00

clearos-developer                                        | 1.9 kB     00:00

clearos-epel/7/x86_64/metalink                           |  27 kB     00:00

clearos-epel                                             | 4.3 kB     00:00

clearos-fast-updates                                     | 1.9 kB     00:00

clearos-infra                                            | 3.0 kB     00:00

clearos-updates                                          | 3.0 kB     00:00

(1/3): clearos-updates/7/primary_db                        | 686 kB   00:00

(2/3): clearos-epel/7/x86_64/updateinfo                    | 444 kB   00:00

(3/3): clearos-epel/7/x86_64/primary_db                    | 3.7 MB   00:01

Determining fastest mirrors

 * clearos: mirror1-london.clearos.com

 * clearos-centos: mirror.econdc.com

 * clearos-centos-updates: mirror.econdc.com

 * clearos-contribs: mirror1-london.clearos.com

 * clearos-developer: download3.clearsdn.com

 * clearos-epel: epel.check-update.co.uk

 * clearos-fast-updates: download3.clearsdn.com

 * clearos-infra: mirror1-london.clearos.com

 * clearos-updates: mirror1-london.clearos.com

 * private-clearcenter-dyndns: download1.clearsdn.com:80

private-clearcenter-dyndns                               | 1.9 kB     00:00

Resolving Dependencies

--> Running transaction check

---> Package fail2ban.noarch 0:0.9.3-1.el7 will be installed

--> Processing Dependency: fail2ban-server = 0.9.3-1.el7 for package: fail2ban-0.9.3-1.el7.noarch

--> Processing Dependency: fail2ban-sendmail = 0.9.3-1.el7 for package: fail2ban-0.9.3-1.el7.noarch

--> Processing Dependency: fail2ban-firewalld = 0.9.3-1.el7 for package: fail2ban-0.9.3-1.el7.noarch

--> Running transaction check

---> Package fail2ban-firewalld.noarch 0:0.9.3-1.el7 will be installed

---> Package fail2ban-sendmail.noarch 0:0.9.3-1.el7 will be installed

---> Package fail2ban-server.noarch 0:0.9.3-1.el7 will be installed

--> Processing Dependency: systemd-python for package: fail2ban-server-0.9.3-1.el7.noarch

--> Processing Dependency: ipset for package: fail2ban-server-0.9.3-1.el7.noarch

--> Running transaction check

---> Package ipset.x86_64 0:6.19-4.el7 will be installed

--> Processing Dependency: ipset-libs = 6.19-4.el7 for package: ipset-6.19-4.el7.x86_64

--> Processing Dependency: libipset.so.3(LIBIPSET_3.0)(64bit) for package: ipset-6.19-4.el7.x86_64

--> Processing Dependency: libipset.so.3(LIBIPSET_2.0)(64bit) for package: ipset-6.19-4.el7.x86_64

--> Processing Dependency: libipset.so.3(LIBIPSET_1.0)(64bit) for package: ipset-6.19-4.el7.x86_64

--> Processing Dependency: libipset.so.3()(64bit) for package: ipset-6.19-4.el7.x86_64

---> Package systemd-python.x86_64 0:219-19.el7 will be installed

--> Running transaction check

---> Package ipset-libs.x86_64 0:6.19-4.el7 will be installed

--> Finished Dependency Resolution



Dependencies Resolved



================================================================================

 Package                 Arch        Version          Repository           Size

================================================================================

Installing:

 fail2ban                noarch      0.9.3-1.el7      clearos-epel        9.7 k

Installing for dependencies:

 fail2ban-firewalld      noarch      0.9.3-1.el7      clearos-epel        9.9 k

 fail2ban-sendmail       noarch      0.9.3-1.el7      clearos-epel         13 k

 fail2ban-server         noarch      0.9.3-1.el7      clearos-epel        395 k

 ipset                   x86_64      6.19-4.el7       clearos-centos       36 k

 ipset-libs              x86_64      6.19-4.el7       clearos-centos       46 k

 systemd-python          x86_64      219-19.el7       clearos-centos       97 k



Transaction Summary

================================================================================

Install  1 Package (+6 Dependent packages)



Total download size: 607 k

Installed size: 1.7 M

Is this ok [y/d/N]:

Can I suggest you disable epel as soon as possible as you may hose your system.