Re: stopping ssh attacks
On Thursday 16 June 2005 10:05 am, Thomas Stivers wrote:
> I have been getting a huge number of attempts to log into my box via ssh
> which fail with invalid username entrys in the logs. Is there already a
> package which will let me look through the logs and dynamically add
> iptables rules to drop anything from these scanning addresses after
> something like 3 attempts. I know I can set up hosts.allow and
> hosts.deny to only allow ssh in from particular ip's, but I'd rather not
> do that. Any suggestions would be appreciated.
Take a look at DenyHosts (http://denyhosts.sourceforge.net/). It basically
uses tcp_wrappers to block all such attempts. There is a mini-howto/article
up on http://rootprompt.org/article.php3?article=8735.
Note that there are also a number of methodologies which accomplish the same
thing using iptables...One such example is at
https://lists.netfilter.org/pipermail/netfilter/2005-June/060914.html. TThe
he extension of this would be to use something like port knocking
(http://www.portknocking.org) to protect ssh and other services.
--
--Brad
========================================================================
Bradley M. Alexander |
IA Analyst, SysAdmin, Security Engineer | storm [at] tux.org
Debian/GNU Linux Developer | storm [at] debian.org
========================================================================
Key fingerprints:
DSA 0x54434E65: 37F6 BCA6 621D 920C E02E E3C8 73B2 C019 5443 4E65
RSA 0xC3BCBA91: 3F 0E 26 C1 90 14 AD 0A C8 9C F0 93 75 A0 01 34
========================================================================
Smoking kills, and if you're killed, you've lost a very important part of
your life."
-- Anti-smoking spokesperson Brooke Shields
Reply to: