[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: failed root login attempts

* Noah Meyerhans (noahm@debian.org) wrote:
> As an additional point against these scripts, they are host based.  If
> I'm going to bother blackholing the source of these login attempts, I'm
> going to do it at the border.  Yes, I can write scripts to react to this
> kind of scanning and have it automatically manipulate access lists on
> the routers, I'm not sure I really like the idea.  I'm sort of leaning
> in that direction, at this point, though, just to shut up logcheck
> without telling it to ignore all failed root login attempts.

This may or may not be an option for you, but...  There's an iptables
match called 'ipt_recent' which you can use to blackhole addresses for a
period of time.  Many of these types of scans will hit an unused
address first, or first hit an address/port combination that's not 
allowed.  With ipt_recent you can then blackhole the address for some
period of time (say, 60 seconds) which is generally more than long
enough for the rest of the scan of your segment to be blocked.

Of course, there are potential problems with any kind of automated
blacklisting, the main one being the 'DoS' problem.  ipt_recent tries to
handle this by having the option to also track the TTL which at least 
makes it a little more difficult to forge packets which will block
legitimate hosts.  iptables also allows stateful filtering and if you
use that then at least outbound connections won't be affected, only
inbound ones could be.


Attachment: signature.asc
Description: Digital signature

Reply to: