Re: howto block ssh brute-force

To: debian-security@lists.debian.org
Subject: Re: howto block ssh brute-force
From: Johann Glaser <Johann.Glaser@gmx.at>
Date: Sun, 12 Mar 2006 11:44:40 +0100
Message-id: <[🔎] 1142160280.5031.5.camel@hansi>
In-reply-to: <[🔎] 385d1e010603112350g5c11a3b1ha21ed67f5e6e7e63@mail.gmail.com>
References: <[🔎] 385d1e010603112350g5c11a3b1ha21ed67f5e6e7e63@mail.gmail.com>

Hi!

> Maybe there is a way to temporarily block ips upon such attempts (is
> this a FAQ?), or maybe divert them like what portsentry does for
> portscans?

A friend recommended 
  http://www.csc.liv.ac.uk/~greg/sshdfilter/
but I didn't try it myself. It runs as a daemon and blocks the IP if
several non-existant users have been tried. A logfile looks like this:

Jan 17 21:27:12 localhost sshd[14378]: Failed keyboard-interactive/pam for root from ::ffff:xx.xx.xx.xx port 53273 ssh2
Jan 17 21:27:12 localhost sshdfilt[14377]: Chanced xx.xx.xx.xx, tries=2
Jan 17 21:27:12 localhost sshd[14378]: Postponed keyboard-interactive for root from ::ffff:xx.xx.xx.xx port 53273 ssh2
Jan 17 21:27:16 localhost sshd[14378]: Connection closed by ::ffff:xx.xx.xx.xx
Jan 17 21:27:23 localhost sshdfilt[14377]: Illegal user name, instant block of xx.xx.xx.xx
Jan 17 21:27:23 localhost sshd[14378]: Illegal user admin from ::ffff:xx.xx.xx.xx
Jan 17 21:27:23 localhost sshd[14378]: input_userauth_request: illegal user admin
Jan 17 21:27:23 localhost sshd[14378]: Failed none for illegal user admin from ::ffff:xx.xx.xx.xx port 53289 ssh2

where xx.xx.xx.xx is the IP address of the offender.

Bye
  Hansi

Reply to:

References:
- howto block ssh brute-force
  - From: "Felipe Figueiredo" <philsf@ufrj.br>

Prev by Date: Re: howto block ssh brute-force
Next by Date: Re: howto block ssh brute-force
Previous by thread: Re: howto block ssh brute-force
Next by thread: Re: howto block ssh brute-force
Index(es):
- Date
- Thread