Honeypots mailing list archives
Re: Displaying SSH password attempts
From: Valdis.Kletnieks () vt edu
Date: Wed, 05 Jul 2006 11:24:07 -0400
On Wed, 05 Jul 2006 16:48:02 +0200, Nikola said:
When one of the servers detects 5 logins in a row from the same IP ADDRESS in given time it marks that IP and stores it in database...and when other hosts detect failed logins...they check database and if host is marked BAD the put it in IPTABLES -j DROP. With this approach I have ring of detect/protect system that guards from potential 31337 crackers ...... Whole idea is bigger than this...but i leave it to your imagination....because it's really easy to extend this idea to anything......
In many cases, it's a lot easier to just use iptables or Windows IPSEC filtering to only allow packets from the 2 or 3 /16's of addresses that *should* be connecting, and just deny the others. Remember - estimates are from 1 to 10 million zombie boxes out there. Trying to ban them one by one is a losing proposition, they're being created faster than you can ban them.
Attachment:
_bin
Description:
Current thread:
- Displaying SSH password attempts Tom Doherty (Jul 05)
- Re: Displaying SSH password attempts Jeff Lake (Jul 05)
- Re: Displaying SSH password attempts Daniel Cid (Jul 05)
- <Possible follow-ups>
- Re: Displaying SSH password attempts Nikola (Jul 05)
- RE: Displaying SSH password attempts Dodge, R. LTC EECS (Jul 05)
- Re: Displaying SSH password attempts Valdis . Kletnieks (Jul 05)
- Re: Displaying SSH password attempts Harry Hoffman (Jul 05)
- Re: Displaying SSH password attempts Tom Doherty (Jul 05)
- Re: Displaying SSH password attempts Valdis . Kletnieks (Jul 05)
- Re: Displaying SSH password attempts ader (Jul 07)
- Re: Displaying SSH password attempts Valdis . Kletnieks (Jul 07)
- Re: Displaying SSH password attempts ader (Jul 11)