Re: [Full-disclosure] SSH brute force blocking tool

From: Anders B Jansson <hdw@xxxxxxxxxxx>
Date: Tue, 28 Nov 2006 18:31:52 +0100

Just one possibly silly question.

Why are you working so hard to do this with complex scripts and stuff?

I just wrote a little C snippet that runs on the firewall.
All servers allowing external ssh send a copy of ssh auth to a port
on the firewall.

If it detects a brute force it adds the host to the block list and
everything from that host is silently dropped.

Added a whitelist function to avoid DOS attempts.

Works perfect, and adds community service by letting the trawlers
hang until they timeout.
--
// hdw

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] SSH brute force blocking tool
  - From: Thierry Zoller
- Re: [Full-disclosure] SSH brute force blocking tool
  - From: J. Oquendo

References:
- [Full-disclosure] SSH brute force blocking tool
  - From: J. Oquendo
- Re: [Full-disclosure] SSH brute force blocking tool
  - From: Tavis Ormandy
- Re: [Full-disclosure] SSH brute force blocking tool
  - From: Thierry Zoller
- Re: [Full-disclosure] SSH brute force blocking tool
  - From: J. Oquendo
- Re: [Full-disclosure] SSH brute force blocking tool
  - From: Tavis Ormandy
- Re: [Full-disclosure] SSH brute force blocking tool
  - From: J. Oquendo
- Re: [Full-disclosure] SSH brute force blocking tool
  - From: Tavis Ormandy
- Re: [Full-disclosure] SSH brute force blocking tool
  - From: Tavis Ormandy
- Re: [Full-disclosure] SSH brute force blocking tool
  - From: J. Oquendo
- Re: [Full-disclosure] SSH brute force blocking tool
  - From: Tavis Ormandy

Prev by Date: Re: [Full-disclosure] FWD: RE: [Dailydave] Symantec Blackberry Whitepaper. (fwd)
Next by Date: Re: [Full-disclosure] SSH brute force blocking tool
Previous by thread: Re: [Full-disclosure] SSH brute force blocking tool
Next by thread: Re: [Full-disclosure] SSH brute force blocking tool
Index(es):
- Date
- Thread

Relevant Pages

Re: Host Computer with ICS cannot be accessed
... I have the Main (Host) computer with XP SP1 which is the ICS computer on a ... firewall settings, not that I've found so far, but I'll keep looking. ... >>connection, I can check or uncheck the firewall setting to allow others on ... Is there a way I can tell my Host server to allow the Client ...
(microsoft.public.windowsxp.network_web)
Re: Host Computer with ICS cannot be accessed
... I have the Main (Host) computer with XP SP1 which is the ICS computer on a ... firewall settings, not that I've found so far, but I'll keep looking. ... >>connection, I can check or uncheck the firewall setting to allow others on ... Is there a way I can tell my Host server to allow the Client ...
(microsoft.public.windowsxp.network_web)
Re: One computer cant see the other.
... I'm not sure I'm doing this right Steve, but on the command prompt at my host ... command prompt on my host machine and my client machine when I ping the host. ... network of two computers. ... The most likely problem is that a firewall (Norton, McAfee, ZoneAlarm, ...
(microsoft.public.windowsxp.network_web)
RE: [fw-wiz] Vulnerability Response
... >> management effort scales with the number of hosts. ... It scales non-linearly if the problem area is well-defined. ... Now - if you're gonna make a firewall policy for 10,000 desktops ... When someone talks about doing mitigation at the host level, ...
(Firewall-Wizards)
RE: Securing a Local Network
... attacker that has broken into one host to hop among the other hosts. ... If you have a central firewall acting as a choke point, ... computers to go out over non-essential ports, ... > interaction with one of our expert instructors. ...
(Security-Basics)