Re: SSH Cracking Attempts
On Wed, 29 Sep 2004 21:55:59 +0200
Matthijs <firstname.lastname@example.org> wrote:
> On Wed, 29 Sep 2004 21:10:24 +0200, Jacob S <stormspotter@6Texans.net>
> > So, my question is this. Is there a way to tell ssh to refuse
> > connections from an ip address after a certain number of failed
> > login attempts, or is snort the only way to do something like this?
> > So far I've been taking the manual approach, blocking the ip address
> > with my firewall after I see it hitting the logs, but that can give
> > them about an hour to play before I notice it (e-mailed to me by
> > logcheck).
> It's not really what you're asking, but:
> In the dutch computer magazine C't, I read an article a few months ago
> about protecting your computer using a port knocking system. If I
> remember correctly, you can close a port (your SSH port, for example)
> and only open it when a pre-defined pattern of access attempts on a
> pre-defined port (unused for applications) is applied. The SSH port
> can then be set to open in your firewall, perhaps only for the
> IP-adress that performed the knocking sequence.
hmm... You're right, it's not what I'm looking for, but it still sounds
like a good concept. I'd be interested in learning more about that, if
not for this use with ssh, I have a couple other applications it could
work with on servers.
> That way, the SSH port is closed and only someone who knows the
> appropriate port knocking sequence can open the port - and then set up
> an SSH session. Your ssh logfile should then no longer show up illegal
> access attempts.
> Some applications were named in the article - if you want, I can look
> them up and post the names.
Yes, please. Unfortunately, I can't read Dutch. :-)