RE: SSH Bruteforce blocking script

[Ron DuFresne <dufresne () winternet com>]

And yet, if one was reading the netfilter lists and looking for something
more robust, there is a script that has been maintained for a number of
months now that I'm sure will fit your needs.  I'm too busy and lazy to
get the link to it, but a simple google search should point it out and the
whole set fo nearly bi monthly threads that covers it and it's variants in
detail.

Yet, where one can limit, limiting access to sshd these days is prefered,
as openssl and the openssh code tend to be quite the problem with
maintainance, almost like the 90's with ftpd and sendmail....


Thanks,

Ron DuFresne


On Mon, 5 Sep 2005, Michael L Benjamin wrote:

> Thanks miah,
>
> I wasn't aware of this functionality in iptables. It doesn't offer the
> kind of permanency or logging that
> I might want, but it's a good suggestion nonetheless for other
> services/situations.
>
> Mike.
>
>
> -----Original Message-----
> From: full-disclosure-bounces () lists grok org uk
> [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of miah
> Sent: Friday, September 02, 2005 11:56 PM
> To: full-disclosure () lists grok org uk
> Subject: Re: [Full-disclosure] SSH Bruteforce blocking script
>
> If you're running iptables why not make use of hashlimit?  Once a limit
> is reached all connection attempts from that IP would be blocked until
> the hash entry expires.
>
> An example pulled from the web:
> iptables -A INPUT -m hashlimit -m tcp -p tcp --dport 22 --hashlimit \
> 1/min --hashlimit-mode srcip --hashlimit-name ssh -m state \ --state NEW
> -j ACCEPT
>
> https://www.redhat.com/archives/fedora-test-list/2005-August/msg00061.ht
> ml
> http://tinyurl.com/94fak
>
> Also, don't forget to man iptables or iptables -m hashlimit -h
>
> -miah
>
> On Fri, Sep 02, 2005 at 07:33:02PM +0800, Michael L Benjamin wrote:
> > -----Original Message-----
> > From: full-disclosure-bounces () lists grok org uk
> > [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Pedro
> > Hugo
> > Sent: Friday, 2 September 2005 05:53 PM
> > To: full-disclosure () lists grok org uk
> > Subject: Re: [Full-disclosure] SSH Bruteforce blocking script
> >
> > Hi,
> >
> > > I don't want to debate the goodness or badness of the strategy of
> > > blocking hosts like this in /etc/hosts.deny. It works perfectly for
> > > me, and most likely would for you, so no religious debates thanks.
> > > It's effective at blocking bruteforce attacks. If a host EXCEEDS a
> > > specified number of guesses during the (configurable) 30 seconds it
> > > takes the script to cycle, the host is blacklisted.
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

-- 
"Sometimes you get the blues because your baby leaves you. Sometimes you get'em
'cause she comes back." --B.B. King
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/