Re: SSH Blocking

To: Jon Dowland <jon-dowland@ncl.ac.uk>
Cc: debian-user <debian-user@lists.debian.org>
Subject: Re: SSH Blocking
From: Ryan Castle <ryan.castle@vanderbilt.edu>
Date: Mon, 25 Apr 2005 10:49:05 -0500
Message-id: <[🔎] 20050425154905.GP6912@vanderbilt.edu>
Mail-followup-to: Jon Dowland <jon-dowland@ncl.ac.uk>, debian-user <debian-user@lists.debian.org>
In-reply-to: <[🔎] 426D0BCA.9030602@ncl.ac.uk>
References: <[🔎] 426D01F2.4000900@pressenter.com> <[🔎] 426D0BCA.9030602@ncl.ac.uk>

On Apr 25 16:24, Jon Dowland wrote:
> Nick Miller wrote:
> 
> >I am wondering if
> >there is an option in SSHD to block an IP after a certain amount of
> >failed login attempts as any user?
> 
> You can achieve this result using the iptables throttle extension, I 
> believe.
> 
> 

On 4/18/05, Brad Sawatzky <brad+debian@swatter.net> wrote:
> On Mon, 18 Apr 2005, Dr. David Kirkby wrote:
> 
> > Anonymous wrote:
> > >I get loads of this crap in my auth.log file,
> > >
> > >Failed password for illegal user root from ...
> > >Failed password for illegal user webmaster from ...
> > >Failed password for illegal user data from ...
> > >
> > >sometimes almost 100 attempts in series from the same IP. I
> > >want to install something that will block an offensive IP
> > >indefinitely after a few bad attempts (say 3 or 4 rather
> > >than 1, since I occasionally make typos when logging in!).
> [ . . . ]
> > It is not that hard to spoof the IP address. What happens if the spoof
> > IP is your DNS server? Suddenly DNS does not work. Or how about the IP
> > address of Google, or search engine spiders? It sounds good, but I
> > belive it practice it can lead to more problems than it solves.
> 
> A better option would be to simply block port 22 (or whatever port is being
> attacked) from the (allegedly) offending ip address.  You can also set
> things up so the block expires after a period of time.  There is a nice
> overview of using the ip_recent module with netfilter to address this
> problem here:
>   <http://blog.andrew.net.au/2005/02/17#ipt_recent_and_ssh_attacks>
> 
> A different approach is to use a perl script (sshd_sentry) to monitor the
> logs and update/expire host entries in /etc/hosts.deny:
>   <http://beau.org/pipermail/whitebox-users/2005-March/005790.html>
>   <http://linuxmafia.com/pub/linux/security/sshd_sentry/>
> 
> I'm using the perl script option and haven't had a problem...  The
> iptables approach seems 'nicer' though.  If applicable, make sure
> you remove 'sshd: ALL' in hosts.allow, and add something like
> 'ALL EXCEPT sshd: ALL'  to hosts.deny to make the script work as
> intended.
> 
> -- Brad
> 
> 
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 
>

Reply to:

Follow-Ups:
- Re: SSH Blocking
  - From: Jon Dowland <jon-dowland@ncl.ac.uk>

References:
- SSH Blocking
  - From: Nick Miller <nick@pressenter.com>
- Re: SSH Blocking
  - From: Jon Dowland <jon-dowland@ncl.ac.uk>

Prev by Date: Re: Thesis/Dissertation authoring application
Next by Date: Re: Thesis/Dissertation authoring application
Previous by thread: Re: SSH Blocking
Next by thread: Re: SSH Blocking
Index(es):
- Date
- Thread