RE: Advice on dealing with scripted SSH attacks?



Slog works pretty good. It parses whatever log sshd dumps auth bits to and
pares for failed/incorrect logins. It then calls iptables and blocks the
source IP of the offender based upon your threshold settings.


securelabs.be/slog/



-----Original Message-----
From: Zembower, Kevin [mailto:kzembowe@xxxxxxxxxx]
Sent: Tuesday, March 28, 2006 9:13 AM
To: secureshell@xxxxxxxxxxxxxxxxx
Subject: Advice on dealing with scripted SSH attacks?

What's the current advice on dealing with scripts that repeatedly try to
log onto SSH using a list of common usernames and 'password' for the
password? I get up to 4,000 of these a day from a single server. In
searching Google on this, I've learned of techniques using PAM and
firewall rules that are created dynamically in response to log-in
attempts.

Can someone point out a link or tell me what they think are the best
practices for dealing with this? Sooner or later, one of my users is
going to have the unfortunate combination of a common user name and a
bad password.

Ideally, what I'd like would be a system that exponentially increases
the timeout period after each repeated failed login attempt from the
same host up to a maximum of 10-20 minutes before resetting.

Thanks for your advice.

-Kevin Zembower