Re: howto block ssh brute-force

To: debian-security@lists.debian.org
Subject: Re: howto block ssh brute-force
From: "Daniel Givens" <daniel@rugmonster.org>
Date: Sun, 12 Mar 2006 08:34:28 -0600
Message-id: <[🔎] 98a18b470603120634v5fd99523he671650bd956c650@mail.gmail.com>
Reply-to: daniel@rugmonster.org
In-reply-to: <[🔎] 385d1e010603112350g5c11a3b1ha21ed67f5e6e7e63@mail.gmail.com>
References: <[🔎] 385d1e010603112350g5c11a3b1ha21ed67f5e6e7e63@mail.gmail.com>

I wrote a script for just this thing a few months ago. The script I
wrote, when executed from a cronjob, looks over  the auth.log. When a
dictionary attack is found, it puts the IP of the attacker in a
peerguardian formatted file. From there, linblock
(http://www.dessent.net/linblock/) is executed and adds an iptables
rule for them.

If you would like to check it out, you can find it at
http://www.pcolalug.org/smf/index.php?topic=2734.0

~Daniel



On 3/12/06, Felipe Figueiredo <philsf@ufrj.br> wrote:
> Hello,
>
> once in a while (say, every two weeks) I get a brute-force
> login/password scan attempt in my server (i.e., a single ip tries
> dictionary account names and passwords at random). SSH access is
> needed by many users, and  (RSA/DSA key)-only access is, at present
> time, unwanted. So far none such attempt was lucky (to my knowlege),
> but it always gives me creeps when I see unusually big logwatch
> reports, and my contacts to sysadmins of originating networks are
> usually ignored.
>
> Any ideas?
>
> Maybe there is a way to temporarily block ips upon such attempts (is
> this a FAQ?), or maybe divert them like what portsentry does for
> portscans?
>
>

Reply to:

References:
- howto block ssh brute-force
  - From: "Felipe Figueiredo" <philsf@ufrj.br>

Prev by Date: Re: howto block ssh brute-force
Next by Date: Re: howto block ssh brute-force
Previous by thread: Re: howto block ssh brute-force
Next by thread: Re: howto block ssh brute-force
Index(es):
- Date
- Thread