Re: blocking IPs that try to crack SSH, is portsentry what I want?
Dr. David Kirkby wrote:
> I have in the past took this approach, and still do in my firewall for
> one or two odd IP's. I wrote a script to update the ruleset in ipfilter
> (I use mainly a Sun) and to block IP's that were attacking my web server.
>
> However, after discussing this with many others, I am not convinced it
> is such a good idea.
>
> It is not that hard to spoof the IP address. What happens if the spoof
> IP is your DNS server? Suddenly DNS does not work. Or how about the IP
> address of Google, or search engine spiders? It sounds good, but I
> belive it practice it can lead to more problems than it solves.
How about a Perl program run from a cron job to do the following?
1. Scan auth.log for lines that match something approximately like this
/^.+sshd.+Illegal user.+(\d+\.\d+\.\d+\.\d+).*$/
so $1 is the IP address, and increment the value of a hash with the
IP as the key.
2. For any IP with more than 3 (for example) attempts, add a line
"sshd: $ip # banned at $datetime\n"
to /etc/hosts.deny (if it doesn't already contain $ip).
This would block only sshd, not DNS or any other services. For improved
efficiency it could use logtail or something similar instead of scanning
the whole auth.log file.
Reply to: