RE: Advice on dealing with scripted SSH attacks?
- From: "Thompson Seren" <Seren.Thompson@xxxxxxxxxxxx>
- Date: Tue, 28 Mar 2006 13:47:27 -0700
There's a nice package called "fail2ban" on Sourceforge. It works with
the logs of various programs including ssh, apache, etc. and uses
iptables or hosts.deny to block IPs for a period after a specified
number of failures.
It's written in python and is pretty easy to configure for other
firewalls and logs.
-Seren Thompson
-----Original Message-----
From: Zembower, Kevin [mailto:kzembowe@xxxxxxxxxx]
Sent: Tuesday, March 28, 2006 7:13 AM
To: secureshell@xxxxxxxxxxxxxxxxx
Subject: Advice on dealing with scripted SSH attacks?
What's the current advice on dealing with scripts that repeatedly try to
log onto SSH using a list of common usernames and 'password' for the
password? I get up to 4,000 of these a day from a single server. In
searching Google on this, I've learned of techniques using PAM and
firewall rules that are created dynamically in response to log-in
attempts.
Can someone point out a link or tell me what they think are the best
practices for dealing with this? Sooner or later, one of my users is
going to have the unfortunate combination of a common user name and a
bad password.
Ideally, what I'd like would be a system that exponentially increases
the timeout period after each repeated failed login attempt from the
same host up to a maximum of 10-20 minutes before resetting.
Thanks for your advice.
-Kevin Zembower
- Prev by Date: RE: Advice on dealing with scripted SSH attacks?
- Next by Date: Re: Advice on dealing with scripted SSH attacks?
- Previous by thread: Re: Advice on dealing with scripted SSH attacks?
- Next by thread: sftp-server - file locking
- Index(es):
Relevant Pages
|
