Re: Banning SSH attackers

From: Eldon Ziegler (eldonz39yid_at_yahoo.com)
Date: 10/24/05

  • Next message: Treu, Jill: "Looking for a copy of keychain for Aix 4.33" 
    Date: Sun, 23 Oct 2005 18:15:19 -0400
To: Paul Berube <stazz@shaw.ca>, secureshell@securityfocus.com

    I've had the same problem and it was solved by a script from a
    presentation we had at a local Linux users group meeting. A copy of
    the presentation is attached. This script detects attempts to break
    in via ssh and dynamically generates iptables rules to block further
    connects from that host for one week.

    At 01:42 pm 10/20/2005, Paul Berube wrote:

    >Hi.
    >
    >First off, my personal disclaimer: I'm not a (real) sysadmin, nor a
    >security or networking or even a *nix expert, so hopefully I'm not
    >missing something obvious. I've looked through the ssh man page and
    >googled, but I didn't find anything relevent. Anyway.
    >
    >People are running attacks on my server... they look like dictionary
    >attacks on usernames and passwords, and I'm sure that any of you who
    >look at your logs have seen the same thing on your machines. I have
    >reverse-dns checking turned on, and have everyone except select
    >users blocked by denygroups and denyusers. I end up with large
    >daily logs filled with failed login attempts, user not allowed
    >messages, and "possible breaking attempt" messages from reverse-dns
    >failures (eg, more than 3800 entries yesterday, from 1 or 2 IPs).
    >
    >What I'd like is a system configuration where I just drop all
    >packets from hosts that cause one of these messages for the next,
    >say, 5 min.
    >This way, a login failure from a legitimate user is not a
    >catastrophic event for them, but greatly limits the ability of
    >attackers to hammer on ssh. It seems like this sort of
    >setup/process should have a well-known name (that I am ignorant of).
    >
    >Any advice, suggestions, or pointers would be appreciated!
    >Thanks.
    >--Paul

  • Next message: Treu, Jill: "Looking for a copy of keychain for Aix 4.33"

    Relevant Pages

    • Multiple Vulnerabilities in WebCalendar
      ... WebCalendar - Web Calendar Application ... doesn't check <img src based attacks. ... Almost any GLOBAL parameter in this script ... You can try the vulnerability ...
      (Bugtraq)
    • Re: pppd pty equivilent in FBSD
      ... I let pppd manage retries & setting routes. ... >I wouldn't personally recommend vpn over ssh for anyone either, ... I'm the sole bsd user at my company, and the ppp over ssh ... >Actual bash script I call: ...
      (freebsd-net)
    • Re: [SLE] stopping dictionary attacks on sshd (a tcp_wrappers problem)
      ... ssh login does not work when one has just booted, until jifie gets 0 and starts incrementing, then it works. ... We need open ssh connections from the outside. ... We want to defend against these attacks in a reasonable way. ... logsurfer is used because I don't know a better log watching and event ...
      (SuSE)
    • Re: [kde-linux] Sessions names
      ... ssh 192.168.2.80??? ... You can write a wrapper script that would start ssh to some ip and rename the ... konsole session dynamically. ... dcop call to konsole you need to know the pid of konsole. ...
      (KDE)