Re: Automatic blocking of attackers' IP
From: FEEB (feeb_at_chem.utoronto.ca)
Date: Wed, 08 Sep 2004 09:36:35 -0400 (EDT)
On Tue, 07 Sep 2004 17:27:40 GMT, Geoffrey King wrote:
>On Tue, 07 Sep 2004 09:53:31 -0400, FEEB wrote:
>> I would like to have the following scenario implemented on my network:
>> Someone tries repeatedly and illegally to log in as 'admin', 'root' or
>> whatever from some IP using SSH (or any other means).
>> When the number of attempts reaches a predefined trigger level, an
>> occurs (a script is executed, etc.)
>> The definition of attempts, the trigger level and the resulting action
>> should be configurable.
>> Is a watchdog like that that would fulfill my requirements available
>> somewhere out there or do I have to sit down and start scripting?
>1. Rate Limit SSH connections with IPTables. You can use Traffic shaping
>to get fine grain control if that isn't enough.
>2. Use Swatch to monitor your SSH log file for failed connections. Tell
>to use IPTables to drop traffic from IP's that appear too often. There's
>an example in the config that almost does this for you already.
Thanks. That's what I was looking for. You just save me a lot of time!
Frank Bures, <email@example.com>