Re: Automatic blocking of attackers' IP

From: moo (moo_at_mangled.lgw.co.nz)
Date: 10/19/04 

Date: Tue, 19 Oct 2004 14:16:58 +1300

On Mon, 11 Oct 2004 03:12:52 +0000, William B. Cattell wrote:

> On Tue, 07 Sep 2004 09:53:31 -0400, FEEB wrote:
>
>> Hi,
>>
>> I would like to have the following scenario implemented on my network:
>>
>> 1.
>> Someone tries repeatedly and illegally to log in as 'admin', 'root' or
>> whatever from some IP using SSH (or any other means).
>>
>> 2.
>> When the number of attempts reaches a predefined trigger level, an action
>> occurs (a script is executed, etc.)
>>
>> The definition of attempts, the trigger level and the resulting action
>> should be configurable.
>>
>> Is a watchdog like that that would fulfill my requirements available
>> somewhere out there or do I have to sit down and start scripting?
>>
>> Thanks
>>
>>
>> Frank Bures, <feeb@chem.utoronto.ca>
>
> Take a look at PortSentry. It will key off actions you can specify and
> automatically block / close the port for a period of time. It can also be
> scripted to insert the attacker's IP address into the hosts.deny thereby
> blocking that IP from that daemon.
>
> Bill

Yes portsentry is an excellent way to do this, just don't forget to add a
whitelist so you don't accidently block yourself out, or so that attackers
don't spoof an IP and make you block lots of other hosts you want to get
to (DNS server/gateways etc).

For the mega paranoid I would recommend implementing some form of TCP Door
knocking, an example of this is cdoor from the clever people at
phenoelit.de

Or for a more robust implementation SADoor
(http://cmn.listprojects.darklab.org/)

This way you can have a DENY ALL type rule on the firewall, but still get
into the box if you need to by sending specially crafted packets. 

-- 
http://www.lucidit.co.nz

Relevant Pages

  • Re: Automatic blocking of attackers IP
    ... >> whatever from some IP using SSH. ... >> When the number of attempts reaches a predefined trigger level, ... >> occurs (a script is executed, ... > Take a look at PortSentry. ...
    (comp.os.linux.security)
  • Re: Automatic blocking of attackers IP
    ... >> whatever from some IP using SSH. ... >> When the number of attempts reaches a predefined trigger level, ... >> occurs (a script is executed, ... > Take a look at PortSentry. ...
    (comp.os.linux.networking)
  • Re: Automatic blocking of attackers IP
    ... > I would like to have the following scenario implemented on my network: ... > whatever from some IP using SSH. ... > When the number of attempts reaches a predefined trigger level, ... > occurs (a script is executed, ...
    (comp.os.linux.networking)
  • Re: Automatic blocking of attackers IP
    ... > I would like to have the following scenario implemented on my network: ... > whatever from some IP using SSH. ... > When the number of attempts reaches a predefined trigger level, ... > occurs (a script is executed, ...
    (comp.os.linux.security)
  • Re: Automatic blocking of attackers IP
    ... > I would like to have the following scenario implemented on my network: ... > whatever from some IP using SSH. ... > When the number of attempts reaches a predefined trigger level, ... > occurs (a script is executed, ...
    (comp.security.unix)