Re: blocking IPs that try to crack SSH, is portsentry what I want?
On 4/18/05, Brad Sawatzky <firstname.lastname@example.org> wrote:
> On Mon, 18 Apr 2005, Dr. David Kirkby wrote:
> > Anonymous wrote:
> > >I get loads of this crap in my auth.log file,
> > >
> > >Failed password for illegal user root from ...
> > >Failed password for illegal user webmaster from ...
> > >Failed password for illegal user data from ...
> > >
> > >sometimes almost 100 attempts in series from the same IP. I
> > >want to install something that will block an offensive IP
> > >indefinitely after a few bad attempts (say 3 or 4 rather
> > >than 1, since I occasionally make typos when logging in!).
> [ . . . ]
> > It is not that hard to spoof the IP address. What happens if the spoof
> > IP is your DNS server? Suddenly DNS does not work. Or how about the IP
> > address of Google, or search engine spiders? It sounds good, but I
> > belive it practice it can lead to more problems than it solves.
> A better option would be to simply block port 22 (or whatever port is being
> attacked) from the (allegedly) offending ip address. You can also set
> things up so the block expires after a period of time. There is a nice
> overview of using the ip_recent module with netfilter to address this
> problem here:
> A different approach is to use a perl script (sshd_sentry) to monitor the
> logs and update/expire host entries in /etc/hosts.deny:
> I'm using the perl script option and haven't had a problem... The
> iptables approach seems 'nicer' though. If applicable, make sure
> you remove 'sshd: ALL' in hosts.allow, and add something like
> 'ALL EXCEPT sshd: ALL' to hosts.deny to make the script work as
> -- Brad
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact email@example.com
In a word, awesome. I've seen this topic on the mailing lists so
often, that I begged to wonder if there was a better way. Mere minutes
after deployment, it snaged one. Only saw a few attempts before it
was shut off. And, since it can't do anything unless it shuts up for
a whole minute, it gives up and moves on. NICE