Re: Banning SSH attackers

From: Alex Gottschalk (agottschalk_at_letstalk.com)
Date: 10/21/05

  • Next message: Eldon Ziegler: "Re: Banning SSH attackers"
    To: Paul Berube <stazz@shaw.ca>
    Date: Fri, 21 Oct 2005 12:26:45 -0700
    
    
    

    OpenBSD's PF firewall will let you do this, with any port. More than X
    connections/sec from a given IP will let you add that src IP to a table,
    which you can then ban, or whatever. Look for the <overload> operator
    here: <http://www.openbsd.org/faq/pf/filter.html#stateopts>

    --Alex

    On Thu, 2005-10-20 at 11:42 -0600, Paul Berube wrote:
    > Hi.
    >
    > First off, my personal disclaimer: I'm not a (real) sysadmin, nor a
    > security or networking or even a *nix expert, so hopefully I'm not
    > missing something obvious. I've looked through the ssh man page and
    > googled, but I didn't find anything relevent. Anyway.
    >
    > People are running attacks on my server... they look like dictionary
    > attacks on usernames and passwords, and I'm sure that any of you who
    > look at your logs have seen the same thing on your machines. I have
    > reverse-dns checking turned on, and have everyone except select users
    > blocked by denygroups and denyusers. I end up with large daily logs
    > filled with failed login attempts, user not allowed messages, and
    > "possible breaking attempt" messages from reverse-dns failures (eg, more
    > than 3800 entries yesterday, from 1 or 2 IPs).
    >
    > What I'd like is a system configuration where I just drop all packets
    > from hosts that cause one of these messages for the next, say, 5 min.
    > This way, a login failure from a legitimate user is not a catastrophic
    > event for them, but greatly limits the ability of attackers to hammer on
    > ssh. It seems like this sort of setup/process should have a well-known
    > name (that I am ignorant of).
    >
    > Any advice, suggestions, or pointers would be appreciated!
    > Thanks.
    > --Paul
    >

    -- 
    Alex Gottschalk                                   agottschalk@letstalk.com
    IT Manager/Sysadmin                                 Office: (415) 357-7635
    LetsTalk.com                                          Cell: (415) 517-4982
    
    



  • Next message: Eldon Ziegler: "Re: Banning SSH attackers"