Re: Automatic blocking of attackers' IP

From: FEEB (feeb_at_chem.utoronto.ca)
Date: 09/08/04

  • Next message: FEEB: "Re: Automatic blocking of attackers' IP"
    Date: Wed, 08 Sep 2004 09:36:35 -0400 (EDT)
    
    

    On Tue, 07 Sep 2004 17:27:40 GMT, Geoffrey King wrote:

    >On Tue, 07 Sep 2004 09:53:31 -0400, FEEB wrote:
    >
    >> Hi,
    >>
    >> I would like to have the following scenario implemented on my network:
    >>
    >> 1.
    >> Someone tries repeatedly and illegally to log in as 'admin', 'root' or
    >> whatever from some IP using SSH (or any other means).
    >>
    >> 2.
    >> When the number of attempts reaches a predefined trigger level, an
    action
    >> occurs (a script is executed, etc.)
    >>
    >> The definition of attempts, the trigger level and the resulting action
    >> should be configurable.
    >>
    >> Is a watchdog like that that would fulfill my requirements available
    >> somewhere out there or do I have to sit down and start scripting?
    >
    >1. Rate Limit SSH connections with IPTables. You can use Traffic shaping
    >to get fine grain control if that isn't enough.
    >
    >2. Use Swatch to monitor your SSH log file for failed connections. Tell
    it
    >to use IPTables to drop traffic from IP's that appear too often. There's
    >an example in the config that almost does this for you already.
    >
    >http://swatch.sourceforge.net/

    Thanks. That's what I was looking for. You just save me a lot of time!

    Frank Bures, <feeb@chem.utoronto.ca>


  • Next message: FEEB: "Re: Automatic blocking of attackers' IP"