Re: Dictionary sshd attacks

From: Michael Heiming (michael+USENET_at_www.heiming.de)
Date: 07/17/05

  • Next message: Brian Hall: "Re: Dictionary sshd attacks"
    Date: Sun, 17 Jul 2005 13:10:03 +0200
    
    

    In comp.os.linux.security Wayne <wayne@nospam.4me.invalid>:
    > Is it possible to have sshd or some other daemon recognize
    > a dictionary attack in progress, and to "shun" that IP for
    > (say) an hour? The machanics seem simple to me: A log file
    > reader spots the pattern in real time and issues an iptables
    > command to DROP port 22 packets from the identified IP address,
    > sends a syslog message, and creates an "at" job to remove the
    > iptabes rule after some period of time. A more sophisticated
    > tool could continue to monitor the logs for the attack and only
    > reactivate the port after X minutes after the attack ends.

    > I know I've read of such tools someplace before, but I can't
    > remember any details.

    Taking a short look:

    http://denyhosts.sourceforge.net/
    http://www.csc.liv.ac.uk/~greg/sshdfilter/
    http://www.hexten.net/sw/pam_abl/index.mhtml
    http://fail2ban.sourceforge.net/

    And probably dozen others look promising. Even if the easiest
    would just be to restrict ssh access to a few trusted
    hosts/networks.

    [..]

    -- 
    Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
    mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
    #bofh excuse 389: /dev/clue was linked to /dev/null
    

  • Next message: Brian Hall: "Re: Dictionary sshd attacks"

    Relevant Pages

    • Re: CUPS, Sarge/Debian/GNU/Linux and Mac OS X
      ... blocking port 631 on your linux box? ... # This is the CUPS configuration file. ... the access log file; if this does not start with a leading / ... determines whether the scheduler will allow new printers ...
      (Debian-User)
    • RE: Strange loopback in firefox.
      ... described as heavy attack from outside IP addresses. ... either using the Microsoft_DS port or epmap port to connect). ... For example a connection from port 3014 to 3015 and the next ... to facilitate one-on-one interaction with one of our expert instructors. ...
      (Security-Basics)
    • Re: Security problem
      ... simply to use a non-standard port. ... names and passwords, on large ranges of IP addresses. ... order to perform successful brute-force attack and that's ludicrous. ... DROP incoming packets for other ports (and what internet-facing server ...
      (comp.os.linux.development.apps)
    • Re: SSH server under attack...
      ... It's highly possible that even though you changed the port, an automated script discovered the new port by probing the ports and matching version numbers, ie: ... the new machine to attack me is 200.55.192.29. ... Failed password for invalid user admin from::ffff:200.55.192.29 port ...
      (Security-Basics)
    • FW: Legal? Road Runner proactive scanning.[Scanned]
      ... You consider a port scan to be an attack? ... to facilitate one-on-one interaction with one of our expert instructors. ... Attend a course taught by an expert instructor with years of in-the-field ...
      (Security-Basics)