[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: blocking IPs that try to crack SSH, is portsentry what I want?

On 4/18/05, Brad Sawatzky <brad+debian@swatter.net> wrote:
> On Mon, 18 Apr 2005, Dr. David Kirkby wrote:
> > Anonymous wrote:
> > >I get loads of this crap in my auth.log file,
> > >
> > >Failed password for illegal user root from ...
> > >Failed password for illegal user webmaster from ...
> > >Failed password for illegal user data from ...
> > >
> > >sometimes almost 100 attempts in series from the same IP. I
> > >want to install something that will block an offensive IP
> > >indefinitely after a few bad attempts (say 3 or 4 rather
> > >than 1, since I occasionally make typos when logging in!).
> [ . . . ]
> > It is not that hard to spoof the IP address. What happens if the spoof
> > IP is your DNS server? Suddenly DNS does not work. Or how about the IP
> > address of Google, or search engine spiders? It sounds good, but I
> > belive it practice it can lead to more problems than it solves.
> A better option would be to simply block port 22 (or whatever port is being
> attacked) from the (allegedly) offending ip address.  You can also set
> things up so the block expires after a period of time.  There is a nice
> overview of using the ip_recent module with netfilter to address this
> problem here:
>   <http://blog.andrew.net.au/2005/02/17#ipt_recent_and_ssh_attacks>
> A different approach is to use a perl script (sshd_sentry) to monitor the
> logs and update/expire host entries in /etc/hosts.deny:
>   <http://beau.org/pipermail/whitebox-users/2005-March/005790.html>
>   <http://linuxmafia.com/pub/linux/security/sshd_sentry/>
> I'm using the perl script option and haven't had a problem...  The
> iptables approach seems 'nicer' though.  If applicable, make sure
> you remove 'sshd: ALL' in hosts.allow, and add something like
> 'ALL EXCEPT sshd: ALL'  to hosts.deny to make the script work as
> intended.
> -- Brad
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

In a word, awesome.  I've seen this topic on the mailing lists so
often, that I begged to wonder if there was a better way. Mere minutes
after deployment, it snaged one.  Only saw a few attempts before it
was shut off.  And, since it can't do anything unless it shuts up for
a whole minute, it gives up and moves on.  NICE

-- Scott

Reply to: