Educause Security Discussion mailing list archives

Re: Ongoing distributed Linux SSH dictionary attack

From: Kevin Wilcox <wilcoxkm () APPSTATE EDU>
Date: Fri, 17 Apr 2009 10:06:04 -0400

2009/4/17 Michael Horne <Michael.Horne () olin edu>:

We have been seeing that type of attack for some time now and decided to implement an older program called SSHDFilter.

I believe this is the one we are using currently.

http://www.csc.liv.ac.uk/~greg/sshdfilter/

Works with SSHD and after X number of failed attempts it drops the source IP address into a drop list in IPtables, 
then clears them out after a set time period to not clutter up the Iptables rules.


sshdfilter, fail2ban and others do pretty well.

I'm surprised no one has mentioned connection tracking and limiting on
these *nix machines yet. You can use built-in iptables functionality
to say, "allow 5 connections in 1 minute and ban the IP if additional
connections are made".

http://www.debian-administration.org/articles/187

You can also do this with pf on FreeBSD/OpenBSD (which is actually
where I'm the most familiar with doing it).

kmw

--
Kevin Wilcox
Network Infrastructure and Control Systems
Appalachian State University
Email: wilcoxkm () appstate edu
Office: 828.262.6259

Current thread:

Ongoing distributed Linux SSH dictionary attack Andrew Daviel (Apr 16)
- <Possible follow-ups>
- Re: Ongoing distributed Linux SSH dictionary attack Pete Hickey (Apr 16)
- Re: Ongoing distributed Linux SSH dictionary attack Ken Connelly (Apr 16)
- Re: Ongoing distributed Linux SSH dictionary attack Andrew Daviel (Apr 17)
- Re: Ongoing distributed Linux SSH dictionary attack Michael Horne (Apr 17)
- Re: Ongoing distributed Linux SSH dictionary attack Kevin Wilcox (Apr 17)
- Re: Ongoing distributed Linux SSH dictionary attack Russell Fulton (Apr 17)
- Re: Ongoing distributed Linux SSH dictionary attack Daly, Douglas (Apr 17)
- Re: Ongoing distributed Linux SSH dictionary attack Andrew Daviel (Apr 18)
- Re: Ongoing distributed Linux SSH dictionary attack Andrew Daviel (Apr 18)