Re: blocking IPs that try to crack SSH, is portsentry what I want?

To: debian-user@lists.debian.org
Subject: Re: blocking IPs that try to crack SSH, is portsentry what I want?
From: Scott Edwards <supadupa@gmail.com>
Date: Mon, 18 Apr 2005 13:24:35 -0600
Message-id: <[🔎] a53adc46050418122472c56bae@mail.gmail.com>
Reply-to: Scott Edwards <supadupa@gmail.com>
In-reply-to: <[🔎] 20050418160225.GA13922@dragon.swatter.net>
References: <[🔎] 4e97dea4574eada7c7d30745f597a71b@ecn.org> <[🔎] 4263C657.8010106@medphys.ucl.ac.uk> <[🔎] 20050418160225.GA13922@dragon.swatter.net>

On 4/18/05, Brad Sawatzky <brad+debian@swatter.net> wrote:
> On Mon, 18 Apr 2005, Dr. David Kirkby wrote:
> 
> > Anonymous wrote:
> > >I get loads of this crap in my auth.log file,
> > >
> > >Failed password for illegal user root from ...
> > >Failed password for illegal user webmaster from ...
> > >Failed password for illegal user data from ...
> > >
> > >sometimes almost 100 attempts in series from the same IP. I
> > >want to install something that will block an offensive IP
> > >indefinitely after a few bad attempts (say 3 or 4 rather
> > >than 1, since I occasionally make typos when logging in!).
> [ . . . ]
> > It is not that hard to spoof the IP address. What happens if the spoof
> > IP is your DNS server? Suddenly DNS does not work. Or how about the IP
> > address of Google, or search engine spiders? It sounds good, but I
> > belive it practice it can lead to more problems than it solves.
> 
> A better option would be to simply block port 22 (or whatever port is being
> attacked) from the (allegedly) offending ip address.  You can also set
> things up so the block expires after a period of time.  There is a nice
> overview of using the ip_recent module with netfilter to address this
> problem here:
>   <http://blog.andrew.net.au/2005/02/17#ipt_recent_and_ssh_attacks>
> 
> A different approach is to use a perl script (sshd_sentry) to monitor the
> logs and update/expire host entries in /etc/hosts.deny:
>   <http://beau.org/pipermail/whitebox-users/2005-March/005790.html>
>   <http://linuxmafia.com/pub/linux/security/sshd_sentry/>
> 
> I'm using the perl script option and haven't had a problem...  The
> iptables approach seems 'nicer' though.  If applicable, make sure
> you remove 'sshd: ALL' in hosts.allow, and add something like
> 'ALL EXCEPT sshd: ALL'  to hosts.deny to make the script work as
> intended.
> 
> -- Brad
> 
> 
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 
> 

In a word, awesome.  I've seen this topic on the mailing lists so
often, that I begged to wonder if there was a better way. Mere minutes
after deployment, it snaged one.  Only saw a few attempts before it
was shut off.  And, since it can't do anything unless it shuts up for
a whole minute, it gives up and moves on.  NICE

-- Scott

Reply to:

References:
- blocking IPs that try to crack SSH, is portsentry what I want?
  - From: Anonymous <cripto@ecn.org>
- Re: blocking IPs that try to crack SSH, is portsentry what I want?
  - From: "Dr. David Kirkby" <drkirkby@medphys.ucl.ac.uk>
- Re: blocking IPs that try to crack SSH, is portsentry what I want?
  - From: Brad Sawatzky <brad+debian@swatter.net>

Prev by Date: Re: Mailcap question: should %s be quoted?
Next by Date: Re: acrobat 7 plugin for mozilla/firefox works, and it does not
Previous by thread: Re: blocking IPs that try to crack SSH, is portsentry what I want?
Next by thread: Re: blocking IPs that try to crack SSH, is portsentry what I want?
Index(es):
- Date
- Thread