[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: stopping ssh attacks

On Thursday 16 June 2005 10:05 am, Thomas Stivers wrote:
> I have been getting a huge number of attempts to log into my box via ssh
> which fail with invalid username entrys in the logs. Is there already a
> package which will let me look through the logs and dynamically add
> iptables rules to drop anything from these scanning addresses after
> something like 3 attempts. I know I can set up hosts.allow and
> hosts.deny to only allow ssh in from particular ip's, but I'd rather not
> do that. Any suggestions would be appreciated.

Take a look at DenyHosts (http://denyhosts.sourceforge.net/). It basically 
uses tcp_wrappers to block all such attempts. There is a mini-howto/article 
up on http://rootprompt.org/article.php3?article=8735.

Note that there are also a number of methodologies which accomplish the same 
thing using iptables...One such example is at 
https://lists.netfilter.org/pipermail/netfilter/2005-June/060914.html. TThe 
he extension of this would be to use something like port knocking 
(http://www.portknocking.org) to protect ssh and other services.

Bradley M. Alexander                       |
IA Analyst, SysAdmin, Security Engineer    |   storm [at] tux.org
Debian/GNU Linux Developer                 |   storm [at] debian.org
Key fingerprints:
DSA 0x54434E65: 37F6 BCA6 621D 920C E02E  E3C8 73B2 C019 5443 4E65
RSA 0xC3BCBA91: 3F 0E 26 C1 90 14 AD 0A  C8 9C F0 93 75 A0 01 34
Smoking kills, and if you're killed, you've lost a very important part of
your life."
			        -- Anti-smoking spokesperson Brooke Shields

Reply to: