RE: Displaying SSH password attempts

["Dodge, R. LTC EECS" <Ronald.Dodge () usma edu>]

Hmmm.  Yes we have seen a ton of ssh brute force attacks, however our
focus has been different - instead give them easy passwords and see what
they upload/do.  Of course noting the source IPs may provide some
utility for production network protection assuming they are not a launch
box.


Ron



-----Original Message-----
From: Nikola [mailto:root.admin1 () zg t-com hr] 
Sent: Wednesday, July 05, 2006 10:48 AM
To: honeypots () securityfocus com
Subject: Re: Displaying SSH password attempts

Hello,

I must say that is very interesting to watch logs on my hosts for last
4-5 months
because volume of ssh-attempted/failed-logins has becoming really large.
It's rather new trend to go brute force on some hosts.....so you can
look at your logs and see few hundred attempts for guessing passwords.

I must say that only real good approach to solving this problem was
creating following procedure....

I have 10 servers.....and this is general idea....

When one of the servers detects 5 logins in a row from the same IP
ADDRESS in given time it marks that IP and stores it in database...and
when other hosts detect failed logins...they check database and if host
is marked BAD the put it in IPTABLES -j DROP.

With this approach I have ring of detect/protect system that guards from
potential 31337 crackers ......

Whole idea is bigger than this...but i leave it to your
imagination....because it's really easy to extend this idea to
anything......

sy.
Nikola.