Full Disclosure mailing list archives
RE: SSH Bruteforce blocking script
From: Ron DuFresne <dufresne () winternet com>
Date: Tue, 6 Sep 2005 17:26:43 -0500 (CDT)
And yet, if one was reading the netfilter lists and looking for something more robust, there is a script that has been maintained for a number of months now that I'm sure will fit your needs. I'm too busy and lazy to get the link to it, but a simple google search should point it out and the whole set fo nearly bi monthly threads that covers it and it's variants in detail. Yet, where one can limit, limiting access to sshd these days is prefered, as openssl and the openssh code tend to be quite the problem with maintainance, almost like the 90's with ftpd and sendmail.... Thanks, Ron DuFresne On Mon, 5 Sep 2005, Michael L Benjamin wrote:
Thanks miah, I wasn't aware of this functionality in iptables. It doesn't offer the kind of permanency or logging that I might want, but it's a good suggestion nonetheless for other services/situations. Mike. -----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of miah Sent: Friday, September 02, 2005 11:56 PM To: full-disclosure () lists grok org uk Subject: Re: [Full-disclosure] SSH Bruteforce blocking script If you're running iptables why not make use of hashlimit? Once a limit is reached all connection attempts from that IP would be blocked until the hash entry expires. An example pulled from the web: iptables -A INPUT -m hashlimit -m tcp -p tcp --dport 22 --hashlimit \ 1/min --hashlimit-mode srcip --hashlimit-name ssh -m state \ --state NEW -j ACCEPT https://www.redhat.com/archives/fedora-test-list/2005-August/msg00061.ht ml http://tinyurl.com/94fak Also, don't forget to man iptables or iptables -m hashlimit -h -miah On Fri, Sep 02, 2005 at 07:33:02PM +0800, Michael L Benjamin wrote:-----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Pedro Hugo Sent: Friday, 2 September 2005 05:53 PM To: full-disclosure () lists grok org uk Subject: Re: [Full-disclosure] SSH Bruteforce blocking script Hi,I don't want to debate the goodness or badness of the strategy of blocking hosts like this in /etc/hosts.deny. It works perfectly for me, and most likely would for you, so no religious debates thanks. It's effective at blocking bruteforce attacks. If a host EXCEEDS a specified number of guesses during the (configurable) 30 seconds it takes the script to cycle, the host is blacklisted._______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-- "Sometimes you get the blues because your baby leaves you. Sometimes you get'em 'cause she comes back." --B.B. King ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: SSH Bruteforce blocking script, (continued)
- Re: SSH Bruteforce blocking script Gerald Holl (Sep 03)
- RE: SSH Bruteforce blocking script Michael L Benjamin (Sep 02)
- RE: SSH Bruteforce blocking script Michael L Benjamin (Sep 02)
- RE: SSH Bruteforce blocking script Michael L Benjamin (Sep 02)
- Re: SSH Bruteforce blocking script Christoph Moench-Tegeder (Sep 02)
- Re: SSH Bruteforce blocking script Pedro Hugo (Sep 02)
- RE: SSH Bruteforce blocking script Michael L Benjamin (Sep 02)
- Re: SSH Bruteforce blocking script miah (Sep 02)
- RE: SSH Bruteforce blocking script Michael L Benjamin (Sep 04)
- Re: SSH Bruteforce blocking script miah (Sep 06)
- RE: SSH Bruteforce blocking script Ron DuFresne (Sep 06)
- FW: SSH Bruteforce blocking script Michael L Benjamin (Sep 04)
- FW: SSH Bruteforce blocking script Michael L Benjamin (Sep 04)
- Re: FW: SSH Bruteforce blocking script Valdis . Kletnieks (Sep 04)