Re: Banning SSH attackers

From: Alex Gottschalk (agottschalk_at_letstalk.com)
Date: 10/21/05

Next message: Eldon Ziegler: "Re: Banning SSH attackers"

Previous message: Paul Berube: "Re: Banning SSH attackers"
In reply to: Paul Berube: "Banning SSH attackers"
Next in thread: Eldon Ziegler: "Re: Banning SSH attackers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Paul Berube <stazz@shaw.ca>
Date: Fri, 21 Oct 2005 12:26:45 -0700

OpenBSD's PF firewall will let you do this, with any port. More than X
connections/sec from a given IP will let you add that src IP to a table,
which you can then ban, or whatever. Look for the <overload> operator
here: <http://www.openbsd.org/faq/pf/filter.html#stateopts>

--Alex

On Thu, 2005-10-20 at 11:42 -0600, Paul Berube wrote:
> Hi.
>
> First off, my personal disclaimer: I'm not a (real) sysadmin, nor a
> security or networking or even a *nix expert, so hopefully I'm not
> missing something obvious. I've looked through the ssh man page and
> googled, but I didn't find anything relevent. Anyway.
>
> People are running attacks on my server... they look like dictionary
> attacks on usernames and passwords, and I'm sure that any of you who
> look at your logs have seen the same thing on your machines. I have
> reverse-dns checking turned on, and have everyone except select users
> blocked by denygroups and denyusers. I end up with large daily logs
> filled with failed login attempts, user not allowed messages, and
> "possible breaking attempt" messages from reverse-dns failures (eg, more
> than 3800 entries yesterday, from 1 or 2 IPs).
>
> What I'd like is a system configuration where I just drop all packets
> from hosts that cause one of these messages for the next, say, 5 min.
> This way, a login failure from a legitimate user is not a catastrophic
> event for them, but greatly limits the ability of attackers to hammer on
> ssh. It seems like this sort of setup/process should have a well-known
> name (that I am ignorant of).
>
> Any advice, suggestions, or pointers would be appreciated!
> Thanks.
> --Paul
>

-- 
Alex Gottschalk                                   agottschalk@letstalk.com
IT Manager/Sysadmin                                 Office: (415) 357-7635
LetsTalk.com                                          Cell: (415) 517-4982

application/pgp-signature attachment: This is a digitally signed message part

Next message: Eldon Ziegler: "Re: Banning SSH attackers"

Previous message: Paul Berube: "Re: Banning SSH attackers"
In reply to: Paul Berube: "Banning SSH attackers"
Next in thread: Eldon Ziegler: "Re: Banning SSH attackers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]