RE: Reporting brute force ssh login attempts

To: <debian-user@lists.debian.org>
Subject: RE: Reporting brute force ssh login attempts
From: "Debeselis" <debeselis@gmail.com>
Date: Thu, 16 Nov 2006 11:45:02 +0200
Message-id: <[🔎] 046e01c70963$e431f500$211a000a@lbank.lt>
Reply-to: <debeselis@gmail.com>
In-reply-to: <[🔎] 200611151957.39532.debian.user@bissybox.com>

Hi,

Another cool option is to use knock daemon. With it I have ssh access disabled and when I need to get it - I send special packet
sequence and doors magicaly opens:)

> -----Original Message-----
> From: Peter Colton [mailto:debian.user@bissybox.com]
> Sent: Wednesday, November 15, 2006 9:58 PM
> To: debian-user@lists.debian.org
> Subject: Re: Reporting brute force ssh login attempts
> 
> On Wednesday 15 November 2006 18:51, Shri Shrikumar wrote:
> > Hi All,
> >
> > I have a few servers on which there is a regular penetration attempts
> > using brute force password guessing bots.
> >
> > There is little risk to the server but am getting more and more annoyed
> > by this and as far as I can see am left with two options.
> >
> > 1. Report each ip address that does this. However, a lot of them seems
> > to be from asia with no proper abuse@ address to contact. Additionally,
> > this can be very time consuming.
> >
> > 2. Change the port number that ssh uses to something else. This has the
> > annoyance that I need to pass the new port number in each time I want to
> > log-in.
> >
> > 3. Ignore the issue. Very annoying since logwatch and logcheck
> > constantly complain about it. However, I can add filters so it annoys me
> > less.
> >
> > Is there a another option? Alternatively, is there a way of
> > automatically reporting offending ip's?
> >
> > Any input in this matter greatly appreciated.
> >
> > Best Wishes,
> >
> >
> > Shri
> 
> 	Hello Shri,
> 
> 	A handy tool I use to cut down on ssh brute force attacks is fail2ban :  You
> can install  it from backports.org.
> Add the backport url to your sources.list
> http://www.backports.org/dokuwiki/doku.php?id=instructions
> Then after you have installed fail2ban comment out www.backports.org url in
> your apt sources.list so that you will not bring in any unwanted packages in
> the future.
> 
> http://fail2ban.sourceforge.net/wiki/index.php/README
> http://www.ducea.com/2006/07/03/using-fail2ban-to-block-brute-force-attacks/
> http://www.debianhelp.co.uk/fail2ban.htm
> 
> 	regards
> 
>               peter colton
> 
> 
> 
> 
> 
> 
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

References:
- Re: Reporting brute force ssh login attempts
  - From: Peter Colton <debian.user@bissybox.com>

Prev by Date: proftpd package
Next by Date: Re: Need to remove a ghost file, but can't because it doesn't exist
Previous by thread: RE: Reporting brute force ssh login attempts
Next by thread: Re: Reporting brute force ssh login attempts
Index(es):
- Date
- Thread