Re: Dictionary sshd attacks
From: Michael Heiming (michael+USENET_at_www.heiming.de)
Date: 07/17/05
- Previous message: Tobias Klausmann: "Re: Dictionary sshd attacks"
- In reply to: Wayne: "Dictionary sshd attacks"
- Next in thread: Brian Hall: "Re: Dictionary sshd attacks"
- Reply: Brian Hall: "Re: Dictionary sshd attacks"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 17 Jul 2005 13:10:03 +0200
In comp.os.linux.security Wayne <wayne@nospam.4me.invalid>:
> Is it possible to have sshd or some other daemon recognize
> a dictionary attack in progress, and to "shun" that IP for
> (say) an hour? The machanics seem simple to me: A log file
> reader spots the pattern in real time and issues an iptables
> command to DROP port 22 packets from the identified IP address,
> sends a syslog message, and creates an "at" job to remove the
> iptabes rule after some period of time. A more sophisticated
> tool could continue to monitor the logs for the attack and only
> reactivate the port after X minutes after the attack ends.
> I know I've read of such tools someplace before, but I can't
> remember any details.
Taking a short look:
http://denyhosts.sourceforge.net/
http://www.csc.liv.ac.uk/~greg/sshdfilter/
http://www.hexten.net/sw/pam_abl/index.mhtml
http://fail2ban.sourceforge.net/
And probably dozen others look promising. Even if the easiest
would just be to restrict ssh access to a few trusted
hosts/networks.
[..]
-- Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94) mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/' #bofh excuse 389: /dev/clue was linked to /dev/null
- Previous message: Tobias Klausmann: "Re: Dictionary sshd attacks"
- In reply to: Wayne: "Dictionary sshd attacks"
- Next in thread: Brian Hall: "Re: Dictionary sshd attacks"
- Reply: Brian Hall: "Re: Dictionary sshd attacks"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
