I have been reading quite a lot about security, best security practices and so on BUT, i have not found something, and was hoping a bunch of guys with experience can throw some advise regarding the matter.
Changing SSH Port to a non-standard port blocks 90% of attacks in my experience. Not too many guys are "targeting" you, so they don't bother checking the rest of the ports to see which port is listening for SSH or any other sensitive service.
A person with enough interest or determination WILL figure out what port is listening, and eventually launch an attack. Example: running nmap -p- -sV -O <target-IP>
So you have taken the necessary measures to protect ssh, but what about other services?
If you are - like me - running more than one service on a single server, then they can be attacked as well.
I have a Container where i run a mail rely server, ssh server (obviously) and an vsftp server.
Going trough the logs of vsftp today, i saw at least 500 login attempts from one SINGLE IP address. SO
I know it can be done, just don't know how to.
1- What needs to be setup to monitor the logs on the server, and make sure that after 3 failed login attempts, the attacking IP is "AUTOMATICALLY" added to /etc/hosts.deny
2- Make sure the service runs as daemon, not a cron job. If someone has it already running as a cron job, advise will be appreciated.
3- Block the attacking IP's forever.
4- Maybe a script used to grep logs out and filter only the IP's with certain amount of login attempts, then add this IP's to hosts.deny.
5- I assume the process is the same for every service, as the logs are pretty much the same. Maybe the only things that would change are the lines to grep out???
Any help will be much appreciated.