Re: blocking IPs that try to crack SSH, is portsentry what I want?
On Mon, 18 Apr 2005, Dr. David Kirkby wrote:
> Anonymous wrote:
> >I get loads of this crap in my auth.log file,
> >
> >Failed password for illegal user root from ...
> >Failed password for illegal user webmaster from ...
> >Failed password for illegal user data from ...
> >
> >sometimes almost 100 attempts in series from the same IP. I
> >want to install something that will block an offensive IP
> >indefinitely after a few bad attempts (say 3 or 4 rather
> >than 1, since I occasionally make typos when logging in!).
[ . . . ]
> It is not that hard to spoof the IP address. What happens if the spoof
> IP is your DNS server? Suddenly DNS does not work. Or how about the IP
> address of Google, or search engine spiders? It sounds good, but I
> belive it practice it can lead to more problems than it solves.
A better option would be to simply block port 22 (or whatever port is being
attacked) from the (allegedly) offending ip address. You can also set
things up so the block expires after a period of time. There is a nice
overview of using the ip_recent module with netfilter to address this
problem here:
<http://blog.andrew.net.au/2005/02/17#ipt_recent_and_ssh_attacks>
A different approach is to use a perl script (sshd_sentry) to monitor the
logs and update/expire host entries in /etc/hosts.deny:
<http://beau.org/pipermail/whitebox-users/2005-March/005790.html>
<http://linuxmafia.com/pub/linux/security/sshd_sentry/>
I'm using the perl script option and haven't had a problem... The
iptables approach seems 'nicer' though. If applicable, make sure
you remove 'sshd: ALL' in hosts.allow, and add something like
'ALL EXCEPT sshd: ALL' to hosts.deny to make the script work as
intended.
-- Brad
Reply to: