Full Disclosure mailing list archives
Re: reduction of brute force login attempts via SSH through iptables --hashlimit
From: "Christian \"Khark\" Lauf" <full-disclosure () kharkerlake net>
Date: Tue, 28 Feb 2006 22:45:57 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, was fail2ban ( http://fail2ban.sourceforge.net/ ) already mentioned? It works like -sk's script. It searches your auth.log (or wherever your sshd messages go to) for all typical sshd failure-messages. After a user-defined count of "n" login failures from one IP where counted in "x" user-defined seconds, it bans all traffic from that IP for "t" seconds via iptables. After "t" seconds the rule will be automatically delete. On my Debian Sarge server it works quite well. (Included in Debian Etch, Gentoo and RedHat packages are also available.) But I haven't tested if fail2ban is vulnerable against DoS-Attacks, for example if you spoof your IP with the IP of the gateway your server is directly connected to. And then try to login via ssh on $victim_host with the IP of $gateway. - Would have the side-effect that ALL incoming traffic will be dropped, as long as the rule stays active. iptables -L output shows the following for fail2ban chain: ##### Before - Empty ruleset ##### Chain fail2ban-SSH (1 references) target prot opt source destination RETURN all -- anywhere anywhere ##### After adding an IP to banlist ##### Chain fail2ban-SSH (1 references) target prot opt source destination DROP all -- shell.xxxxxxxxxx.de anywhere RETURN all -- anywhere anywhere Though, the iptables-commands can be easily changed in /etc/fail2ban.conf (look for "fwban"). Just my 2 cents, Christian "Khark" Lauf - -- Christian "Khark" Lauf <khark () kharkerlake net> GPG: 0x6AADC60A | IRCnet/silcnyet: Khark silcnyet-Fingerprint: 9424 E3BF B637 E1FC E355 BA7C 01CC 1B68 3A1C E330 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) iD8DBQFEBMSUAaLWKGqtxgoRApY8AJ47D5FfQ/bgIeZ6NSO9YF5hA6IarwCcDdQZ ohVxfnuF+8FCfMbPYjHtgL4= =KpTi -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- reduction of brute force login attempts via SSH through iptables --hashlimit Jay Libove (Feb 28)
- Re: reduction of brute force login attempts via SSH through iptables --hashlimit Matthijs van Otterdijk (Feb 28)
- Re: reduction of brute force login attempts via SSH through iptables --hashlimit GroundZero Security (Feb 28)
- Re: reduction of brute force login attempts via SSH through iptables --hashlimit Christian "Khark" Lauf (Feb 28)
- Re: reduction of brute force login attempts via SSH through iptables --hashlimit Gary Leons (Feb 28)
- Re: reduction of brute force login attempts via SSH through iptables --hashlimit GroundZero Security (Feb 28)
- Re: reduction of brute force login attempts via SSH through iptables --hashlimit Gary Leons (Feb 28)