Re: SSH Cracking Attempts
On Wed, 29 Sep 2004 21:10:24 +0200, Jacob S <stormspotter@6Texans.net>
wrote:
> So, my question is this. Is there a way to tell ssh to refuse
> connections from an ip address after a certain number of failed login
> attempts, or is snort the only way to do something like this? So far
> I've been taking the manual approach, blocking the ip address with
> my firewall after I see it hitting the logs, but that can give them
> about an hour to play before I notice it (e-mailed to me by logcheck).
It's not really what you're asking, but:
In the dutch computer magazine C't, I read an article a few months ago
about protecting your computer using a port knocking system. If I
remember correctly, you can close a port (your SSH port, for example)
and only open it when a pre-defined pattern of access attempts on a
pre-defined port (unused for applications) is applied. The SSH port
can then be set to open in your firewall, perhaps only for the
IP-adress that performed the knocking sequence.
That way, the SSH port is closed and only someone who knows the
appropriate port knocking sequence can open the port - and then set up
an SSH session. Your ssh logfile should then no longer show up illegal
access attempts.
Some applications were named in the article - if you want, I can look
them up and post the names.
--
Matthijs
vanaalten@hotmail.com
Reply to: