Re: SSH Cracking Attempts
On Thu, 30 Sep 2004 02:13:02 -0400
Kevin Mark <kmark+debian-user@pipeline.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Wed, Sep 29, 2004 at 02:09:58PM -0500, Jacob S wrote:
> > Every other day or so now I'm seeing attempts in my servers logs
> > where some remote machine starts trying to guess a username/password
> > combination to ssh into the server. They try everything from 'test',
> > to'NOUSER', 'guest', 'root', etc., doing at least one login attempt
> > per second, each time from a different source port.
> >
> > So, my question is this. Is there a way to tell ssh to refuse
> > connections from an ip address after a certain number of failed
> > login attempts, or is snort the only way to do something like this?
> > So far I've been taking the manual approach, blocking the ip address
> > with my firewall after I see it hitting the logs, but that can give
> > them about an hour to play before I notice it (e-mailed to me by
> > logcheck).
> >
> > Any suggestions?
> Hi Jacob,
> it happen to me a few months ago. someone suggested that I turn off
> root login from remote hosts in sshd. Is that what you want?
Hello,
No, I already have root logins disabled via ssh. Now I'd like to get
something setup that starts blocking ips automatically when it sees a
certain number of failed logins. Not blocking based on username, but
blocking based on ip addresses or even mac addresses (since I notice
iptables is capable of filtering on mac addresses).
Thanks,
Jacob
Reply to: