Re: Banning SSH attackers
From: Eldon Ziegler (eldonz39yid_at_yahoo.com)
Date: Sun, 23 Oct 2005 18:15:19 -0400 To: Paul Berube <firstname.lastname@example.org>, email@example.com
I've had the same problem and it was solved by a script from a
presentation we had at a local Linux users group meeting. A copy of
the presentation is attached. This script detects attempts to break
in via ssh and dynamically generates iptables rules to block further
connects from that host for one week.
At 01:42 pm 10/20/2005, Paul Berube wrote:
>First off, my personal disclaimer: I'm not a (real) sysadmin, nor a
>security or networking or even a *nix expert, so hopefully I'm not
>missing something obvious. I've looked through the ssh man page and
>googled, but I didn't find anything relevent. Anyway.
>People are running attacks on my server... they look like dictionary
>attacks on usernames and passwords, and I'm sure that any of you who
>look at your logs have seen the same thing on your machines. I have
>reverse-dns checking turned on, and have everyone except select
>users blocked by denygroups and denyusers. I end up with large
>daily logs filled with failed login attempts, user not allowed
>messages, and "possible breaking attempt" messages from reverse-dns
>failures (eg, more than 3800 entries yesterday, from 1 or 2 IPs).
>What I'd like is a system configuration where I just drop all
>packets from hosts that cause one of these messages for the next,
>say, 5 min.
>This way, a login failure from a legitimate user is not a
>catastrophic event for them, but greatly limits the ability of
>attackers to hammer on ssh. It seems like this sort of
>setup/process should have a well-known name (that I am ignorant of).
>Any advice, suggestions, or pointers would be appreciated!
- application/pdf attachment: tb-sshdfilter-presentation.pdf