Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SSH brute force blocking tool

From: "J. Oquendo" <sil () infiltrated net>
Date: Tue, 28 Nov 2006 12:34:47 -0500
Anders B Jansson wrote:

Just one possibly silly question.

Why are you working so hard to do this with complex scripts and stuff?

I just wrote a little C snippet that runs on the firewall.
All servers allowing external ssh send a copy of ssh auth to a port
on the firewall.

If it detects a brute force it adds the host to the block list and
everything from that host is silently dropped.

Added a whitelist function to avoid DOS attempts.

Works perfect, and adds community service by letting the trawlers
hang until they timeout.
The purpose of this wasn't to reinvent the wheel. It was to allow those using the tool to report the addresses of anyone brute forcing ssh. These addresses are going to be posted for others to see. Something like an RBL for brute forcers. 


--
====================================================
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743
sil . infiltrated @ net http://www.infiltrated.net 
The happiness of society is the end of government.
John Adams

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: