brute force ssh login attempts and how to Disrupt them
One day, I noticed one of those attacks starting. What
got my attention was the fact that the room was quiet. My head
was near the system, and I heard a rhythmic tick-tock coming from
the main hard drive, about once per second, sort of like a
heartbeat. I got curious and looked in the logs and there this
moron was in auth.log doing his thing. There wasn't much else
important going on at the time so I just pulled the Ethernet
cable and, of course, the tick-tock stopped. I bet I didn't have
it disconnected more than 10 or 15 seconds, but when I put it
back, the idiot was gone so apparently, the script gives up
pretty easily.
I wrote a C filter at work on our FreeBSD boxes that all
use ipfw to monitor the syslog for the "no identification strin
gfrom" message that these scripts generate first, and then make a
rule that slams the door on these kiddies. Every week, I empty
the jail and clear out the rules that were created. I think now
that I probably could just have the rule in for 30 seconds or so
and get rid of most of the headaches.
I haven't created anything similar for Linux yet or I
would be happy to let folks try it out.
Martin McCormick WB5AGZ Stillwater, OK
Systems Engineer
OSU Information Technology Department Network Operations Group
Reply to: