RE: Reporting brute force ssh login attempts
Hi,
Another cool option is to use knock daemon. With it I have ssh access disabled and when I need to get it - I send special packet
sequence and doors magicaly opens:)
> -----Original Message-----
> From: Peter Colton [mailto:debian.user@bissybox.com]
> Sent: Wednesday, November 15, 2006 9:58 PM
> To: debian-user@lists.debian.org
> Subject: Re: Reporting brute force ssh login attempts
>
> On Wednesday 15 November 2006 18:51, Shri Shrikumar wrote:
> > Hi All,
> >
> > I have a few servers on which there is a regular penetration attempts
> > using brute force password guessing bots.
> >
> > There is little risk to the server but am getting more and more annoyed
> > by this and as far as I can see am left with two options.
> >
> > 1. Report each ip address that does this. However, a lot of them seems
> > to be from asia with no proper abuse@ address to contact. Additionally,
> > this can be very time consuming.
> >
> > 2. Change the port number that ssh uses to something else. This has the
> > annoyance that I need to pass the new port number in each time I want to
> > log-in.
> >
> > 3. Ignore the issue. Very annoying since logwatch and logcheck
> > constantly complain about it. However, I can add filters so it annoys me
> > less.
> >
> > Is there a another option? Alternatively, is there a way of
> > automatically reporting offending ip's?
> >
> > Any input in this matter greatly appreciated.
> >
> > Best Wishes,
> >
> >
> > Shri
>
> Hello Shri,
>
> A handy tool I use to cut down on ssh brute force attacks is fail2ban : You
> can install it from backports.org.
> Add the backport url to your sources.list
> http://www.backports.org/dokuwiki/doku.php?id=instructions
> Then after you have installed fail2ban comment out www.backports.org url in
> your apt sources.list so that you will not bring in any unwanted packages in
> the future.
>
> http://fail2ban.sourceforge.net/wiki/index.php/README
> http://www.ducea.com/2006/07/03/using-fail2ban-to-block-brute-force-attacks/
> http://www.debianhelp.co.uk/fail2ban.htm
>
> regards
>
> peter colton
>
>
>
>
>
>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: