Educause Security Discussion mailing list archives
Re: Ongoing distributed Linux SSH dictionary attack
From: Kevin Wilcox <wilcoxkm () APPSTATE EDU>
Date: Fri, 17 Apr 2009 10:06:04 -0400
2009/4/17 Michael Horne <Michael.Horne () olin edu>:
We have been seeing that type of attack for some time now and decided to implement an older program called SSHDFilter. I believe this is the one we are using currently. http://www.csc.liv.ac.uk/~greg/sshdfilter/ Works with SSHD and after X number of failed attempts it drops the source IP address into a drop list in IPtables, then clears them out after a set time period to not clutter up the Iptables rules.
sshdfilter, fail2ban and others do pretty well. I'm surprised no one has mentioned connection tracking and limiting on these *nix machines yet. You can use built-in iptables functionality to say, "allow 5 connections in 1 minute and ban the IP if additional connections are made". http://www.debian-administration.org/articles/187 You can also do this with pf on FreeBSD/OpenBSD (which is actually where I'm the most familiar with doing it). kmw -- Kevin Wilcox Network Infrastructure and Control Systems Appalachian State University Email: wilcoxkm () appstate edu Office: 828.262.6259
Current thread:
- Ongoing distributed Linux SSH dictionary attack Andrew Daviel (Apr 16)
- <Possible follow-ups>
- Re: Ongoing distributed Linux SSH dictionary attack Pete Hickey (Apr 16)
- Re: Ongoing distributed Linux SSH dictionary attack Ken Connelly (Apr 16)
- Re: Ongoing distributed Linux SSH dictionary attack Andrew Daviel (Apr 17)
- Re: Ongoing distributed Linux SSH dictionary attack Michael Horne (Apr 17)
- Re: Ongoing distributed Linux SSH dictionary attack Kevin Wilcox (Apr 17)
- Re: Ongoing distributed Linux SSH dictionary attack Russell Fulton (Apr 17)
- Re: Ongoing distributed Linux SSH dictionary attack Daly, Douglas (Apr 17)
- Re: Ongoing distributed Linux SSH dictionary attack Andrew Daviel (Apr 18)
- Re: Ongoing distributed Linux SSH dictionary attack Andrew Daviel (Apr 18)