how to beat brute force attacks on Linux server

Hi GernotMeyer 

You can create a custom IPS policy and add a required signature and apply on the firewall rule - https://docs.sophos.com/nsg/sophos-firewall/v16058/Help/en-us/webhelp/onlinehelp/index.html#page/onlinehelp/IpsPolicyDetailEdit.html

If you want to allow or block SSH service for firewall, you can create Local ACL rule - https://community.sophos.com/kb/en-us/132814#Local%20Service%20ACL%20Exception%20Rule

Hi GernotMeyer 

When a client establishes a connection and accesses the web server, the web server does not obtain the client’s real IP address. The server obtains the address of the interface used by the web application firewall (WAF) because the connection is made through the WAF. The client’s real IP address is available in the HTTP header.

So if you can do the rate limit settings on your Linux server based on X-Forwarded-For addresses for each request then this may help you to prevent brute force attack on server.

Keyur, thanks for answer.

There are so many existing IPS policies in XG.

There is no existing one taking care of this behavour?

I am unable to determine that one (if existing).

Hi GernotMeyer 

You may create customer IPS policy and add signatures by searching Brute force and all those signatures.

You can edit General policy available in IPS, go to generalpolicy >> remove existing added details or you may keep it as per your requirement >> Click on Add will open a new tab >> Select "Select individual signature" and apply "Name" filter and add a string as brute force, it will list available signature for brute force, select them and click on save.

Please also check Vishal_R response in the previous thread.

Even this thread would helpful - https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/120481/fail2ban-and-waf

Keyur and Vishal_R have already delivered so much that the XG Firewall can help you with regarding Brute Force Attacks. But remember that the firewall itself is only a part of a holistic concept and the servers themselves can be protected against brute force attacks by simple measures...

An attack chain unfortunately has many points that hackers can use for their attack. Attacks or weak points therefore usually target the weakest link in the chain. Only a holistic view of all security-relevant areas (links) can lead to an adequate security level.

1. Change the SSH port to an unobtrusive number
2. Forbid the root user to log in via ssh
3. Say goodbye to password authentication and switch to private key authentication
   Step 1-3 means "SSH hardening", more info here.
4. Do not use a "normal" username like admin, administrator, superuser, or even first and last name.
5. Also use the local firewall of the server, e.g. to only allow access to really needed services / ports.
6. Updates are important. Install them regularly, best is to automate security updates (url is now for debian-based systems).

Since every OS is different in its component it can and must be secured differently! I did some research for my customer and lab environments myself to learn how to harden all the different systems. The open source tool Lynis supports us in analyzing and improving system security. To do this, it determines information about the system, the installed packages and existing configurations. There is a free version which can be downloaded on its official site.

I think there is no best practice approach but at least some kind of basic protection against attacks like brute force. Especially in IT, the day after tomorrow half of the measures will be outdated or "broken" due to some kind of security gap. Once you have gotten used to a basic concept and maintain it on all systems, you already do better than half of the web servers configured on the Internet.

Hope this helps you out, if you're interested in more I'll think about writing a guide here in the Community.

Best regards