Re: Package to block random SSH login attempts?
On Sat, Dec 04, 2004 at 11:42:40AM -0500, Adam Rosi-Kessel wrote:
> Is there any Debian package (or free software outside of Debian) that can
> detect random ssh login attempts and blacklist (temporarily or
> permanently) the IP address?
My new server has been getting attacked several times a week,
even though it's not serving anything much yet.
I wrote a little script to check how many times it's been attacked, and by whom,
here's the results so far:
107 Nov 22 220.72.22.110
9 Nov 22 61.135.145.249
9 Nov 23 67.15.45.240
107 Nov 23 211.229.236.170
3 Nov 28 207.248.228.194
18 Nov 29 210.219.250.239
3 Nov 29 196.38.231.130
112 Dec 1 203.69.243.102
577 Dec 2 216.240.139.153
9 Dec 5 220.70.167.67
I'm not much worried about a break-in, but 557 attempts is quite a lot.
Apart from anything, it must slow down my puny server having to do all that
crypto! I don't want to run my script one day and see a million attempts or
something! I suppose it would be possible to do something like that with a
threaded attack. Still, it's more efficient for them to go after people with
dumb passwords.
I think a good solution would be exponential lockout, for each failed login,
sshd should double the amount of time a certain IP has to wait before it will
be allowed to connect again, and reset to 1 after a successful login.
i.e. if someone types the wrong password, their IP will be locked out for 1
second, if they type the wrong password again, they are locked out for 2
seconds, then 4, then 8, etc.
This would limit the number of failed connections per day from a particular IP
address to about 16 (2^17 > seconds/day), which is not enough for anyone to
guess my password, but it wouldn't lock ME out (for long) if I accidentally
typed my password wrong or screwed up my keys a few times.
Maybe this kind of solution is more scalable for a multi-user system than
arbitrary limits and permanent lockout.
I wrote a hack for pppd that did something like this a while ago, it would
redial automatically if the connection dropped out, but for every failed
connection would wait twice as long before it did (we pay a connection fee for
local phone calls in .au, infinite redial loops can be expensive!)
If anyone else thinks this would be worthwhile, I might have a go at getting
sshd to do it. Or would this be better implemented somewhere else, maybe as a
general anti-abuse service that would interact with iptables?
Sam
P.S.
here's my "attacks" script if you're interested:
ls -r /var/log/auth.log* | xargs catz | grep 'Failed password' | grep $HOSTNAME |
sed "s/$HOSTNAME.*::ffff://; s/ port.*//; s/ ..:..:.. / /;" | uniq -c
and catz is:
for A in "$@"; do
case "$A" in
*.gz) zcat "$A" ;;
*.bz2) bzcat "$A" ;;
*) cat "$A" ;;
esac
done
Reply to: