Re: Automatic blocking of attackers' IP
From: Geoffrey King (gking_at_evildomain.dyndns.org)
Date: 09/07/04
- Next message: FEEB: "Re: Automatic blocking of attackers' IP"
- Previous message: Mark A. Odell: "Re: Automatic blocking of attackers' IP"
- In reply to: FEEB: "Automatic blocking of attackers' IP"
- Next in thread: FEEB: "Re: Automatic blocking of attackers' IP"
- Reply: FEEB: "Re: Automatic blocking of attackers' IP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 07 Sep 2004 17:27:40 GMT
On Tue, 07 Sep 2004 09:53:31 -0400, FEEB wrote:
> Hi,
>
> I would like to have the following scenario implemented on my network:
>
> 1.
> Someone tries repeatedly and illegally to log in as 'admin', 'root' or
> whatever from some IP using SSH (or any other means).
>
> 2.
> When the number of attempts reaches a predefined trigger level, an action
> occurs (a script is executed, etc.)
>
> The definition of attempts, the trigger level and the resulting action
> should be configurable.
>
> Is a watchdog like that that would fulfill my requirements available
> somewhere out there or do I have to sit down and start scripting?
1. Rate Limit SSH connections with IPTables. You can use Traffic shaping
to get fine grain control if that isn't enough.
2. Use Swatch to monitor your SSH log file for failed connections. Tell it
to use IPTables to drop traffic from IP's that appear too often. There's
an example in the config that almost does this for you already.
http://swatch.sourceforge.net/
-- BOFH Excuse #205: Quantum dynamics are affecting the transistors
- Next message: FEEB: "Re: Automatic blocking of attackers' IP"
- Previous message: Mark A. Odell: "Re: Automatic blocking of attackers' IP"
- In reply to: FEEB: "Automatic blocking of attackers' IP"
- Next in thread: FEEB: "Re: Automatic blocking of attackers' IP"
- Reply: FEEB: "Re: Automatic blocking of attackers' IP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
