RE: OpenSSH -- a way to block recurrent login failures?

From: Baker, Darryl (Darryl.Baker_at_gedas.com)
Date: 09/30/04

  • Next message: lonely wolf: "Re: Locking down ssh config in large env" 
    To: 'Bartek Krajnik' <bmk@bicom.pl>, 'Victor Danilchenko' <danilche@cs.umass.edu>
Date: Thu, 30 Sep 2004 16:00:40 -0400

     
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    I would suggest looking at this site. They have a PAM module for you.
    http://www.comsmiths.com.au/pam/

    _____________________________________________________________________
    Darryl Baker
    gedas USA, Inc.
    Operational Services Business Unit
    3800 Hamlin Road
    Auburn Hills, MI 48326
    US
    phone +1-248-754-5341
    fax +1-248-754-6399
    Darryl.Baker@gedas.com
    http://www.gedasusa.com
    _____________________________________________________________________

    > -----Original Message-----
    > From: bartek@mail.bicom.pl [mailto:bartek@mail.bicom.pl]On Behalf
    > Of Bartek Krajnik
    > Sent: Saturday, September 25, 2004 7:23 PM
    > To: Victor Danilchenko
    > Cc: secureshell@securityfocus.com
    > Subject: Re: OpenSSH -- a way to block recurrent login failures?
    >
    >
    > On 21-09-2004 at 10:02:22AM -0400, Victor Danilchenko wrote:
    > VD> Hi,
    > VD>
    > VD> We are looking for a way to temporarily block hosts from which
    > VD> we receive a given number of sequential failed login attempts,
    > not VD> necessarily within the same SSH session (so MaxAuthTries
    > is not enough).
    > VD> The best solution I could come up with so far would be to
    > run OpenSSH
    > VD> through TCPWrappers, and set up a log watcher daemon
    > which would edit
    > VD> /etc/hosts.deny on the fly based on the tracked number of
    > failed logins
    > VD> for each logged host.
    > VD>
    > VD> Is there a better solution known for the sort of problems we
    > VD> have been plagued with lately -- repeated brute-force
    > crack attempts
    > VD> from remote hosts? I looked on FreshMeat and I searched
    > the mailing
    > VD> lists, only to come up empty-handed.
    > VD>
    >
    > mkfifo /dev/auth
    >
    > Add to syslog.conf:
    > auth,authpriv.* |/dev/auth
    >
    > reload syslog
    >
    > Now write simple program which reads data from fifo
    > (/dev/auth) and inserts iptables (ipf)
    > rules (perl will be the best).
    >
    > Your tool blocks IP's in real time.
    >
    > I wrote something similar for POP-before-SMTP:
    > http://www.bmk.bz/logrelay-pop3/
    >
    > If You have no time try portsentry.
    >
    > Best regards,
    > Bartek.
    > --
    > If You want to verify authentication of my e-mail visit:
    www.bmk.bicom.pl
       to get from there my public key.

    -----BEGIN PGP SIGNATURE-----
    Version: PGP Personal Security 7.0.3

    iQA/AwUBQVxl71e1Bhkj9lZeEQI4RwCdG87Ji6ZxdBcSD6jxRR1gUsrdqTgAoOOV
    xOLOBwij11G4pJ7ERLL/y/3R
    =wg/j
    -----END PGP SIGNATURE-----
     

  • Next message: lonely wolf: "Re: Locking down ssh config in large env"

    Relevant Pages