[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: blocking IPs that try to crack SSH, is portsentry what I want?

Dr. David Kirkby wrote:

> I have in the past took this approach, and still do in my firewall for
> one or two odd IP's. I wrote a script to update the ruleset in ipfilter
> (I use mainly a Sun) and to block IP's that were attacking my web server.
> However, after discussing this with many others, I am not convinced it
> is such a good idea.
> It is not that hard to spoof the IP address. What happens if the spoof
> IP is your DNS server? Suddenly DNS does not work. Or how about the IP
> address of Google, or search engine spiders? It sounds good, but I
> belive it practice it can lead to more problems than it solves.

How about a Perl program run from a cron job to do the following?

1. Scan auth.log for lines that match something approximately like this
   /^.+sshd.+Illegal user.+(\d+\.\d+\.\d+\.\d+).*$/
   so $1 is the IP address, and increment the value of a hash with the 
   IP as the key.

2. For any IP with more than 3 (for example) attempts, add a line
   "sshd: $ip   # banned at $datetime\n" 
   to /etc/hosts.deny (if it doesn't already contain $ip).

This would block only sshd, not DNS or any other services.  For improved 
efficiency it could use logtail or something similar instead of scanning 
the whole auth.log file.

Reply to: