Honeypots mailing list archives
Re: Displaying SSH password attempts
From: Nikola <root.admin1 () zg t-com hr>
Date: Wed, 05 Jul 2006 16:48:02 +0200
Hello,I must say that is very interesting to watch logs on my hosts for last 4-5 months
because volume of ssh-attempted/failed-logins has becoming really large. It's rather new trend to go brute force on some hosts.....so you can look at your logs and see few hundred attempts for guessing passwords.I must say that only real good approach to solving this problem was creating
following procedure.... I have 10 servers.....and this is general idea.... When one of the servers detects 5 logins in a row from the same IP ADDRESSin given time it marks that IP and stores it in database...and when other hosts
detect failed logins...they check database and if host is marked BAD the put it in IPTABLES -j DROP. With this approach I have ring of detect/protect system that guards from potential 31337 crackers ......Whole idea is bigger than this...but i leave it to your imagination....because
it's really easy to extend this idea to anything...... sy. Nikola.
Current thread:
- Displaying SSH password attempts Tom Doherty (Jul 05)
- Re: Displaying SSH password attempts Jeff Lake (Jul 05)
- Re: Displaying SSH password attempts Daniel Cid (Jul 05)
- <Possible follow-ups>
- Re: Displaying SSH password attempts Nikola (Jul 05)
- RE: Displaying SSH password attempts Dodge, R. LTC EECS (Jul 05)
- Re: Displaying SSH password attempts Valdis . Kletnieks (Jul 05)
- Re: Displaying SSH password attempts Harry Hoffman (Jul 05)
- Re: Displaying SSH password attempts Tom Doherty (Jul 05)
- Re: Displaying SSH password attempts Valdis . Kletnieks (Jul 05)
- Re: Displaying SSH password attempts ader (Jul 07)
- Re: Displaying SSH password attempts Valdis . Kletnieks (Jul 07)
- Re: Displaying SSH password attempts ader (Jul 11)