Comments on: Block brute force password attempts via SSH

By: SSH

SSH — Mon, 10 Nov 2008 22:07:29 +0000

sudo iptables -A INPUT -i eth0 -p tcp –dport 22 -m state –state NEW -m recent –set –name SSH
sudo iptables -A INPUT -i eth0 -p tcp –dport 22 -m state –state NEW -m recent –update –seconds 60 –hitcount 8 –rttl –name SSH -j DROP

and off he goes :)

By: SSH

SSH — Mon, 10 Nov 2008 22:07:00 +0000

and off he goes :)

By: Episkipos

Episkipos — Fri, 01 Feb 2008 12:49:21 +0000

OK. How about the following as another viable alternative:
+—————————+
/usr/bin/swatch –config-file=/etc/swatchrc –tail-file=/var/log/messages \
–awk-field-syntax –tail-args “-F” &
+—————————+
watchfor /Authentication failed for user/
exec “/usr/local/sbin/lockout $1 $2 $3 $4 $5 $6 $7 $8 $9 $10 $11 $12 $13 $14 $15″
+—————————+
#! /bin/bash
#
IP=`echo $* | awk ‘/Authentication failed/{sub(/\(\?@/,”");print $6}’ | sed ‘s/)//g’`
ATTEMPTS=`grep $IP /var/log/messages | grep “Authentication failed for user” | wc -l`

if [ $ATTEMPTS -gt 2 ]
then
route add $IP lo
MINUTES=`expr $ATTEMPTS – 2`
echo “route del $IP lo 2> /dev/null” | at now +$MINUTES minutes 2>&1 > /tmp/.pure-lockout.$$
(hostname ; echo $* ; echo “IP=$IP” ; echo “ATTEMPTS=$ATTEMPTS” ; \
echo “Blocking for $MINUTES minutes” ; \
cat /tmp/.pure-lockout.$$ ) | Mail -s “Lockout”
admin@example.com
fi

rm -f /tmp/.lockout.$$

By: Episkipos

Episkipos — Fri, 01 Feb 2008 12:49:00 +0000

OK. How about the following as another viable alternative:
+—————————+
/usr/bin/swatch –config-file=/etc/swatchrc –tail-file=/var/log/messages
–awk-field-syntax –tail-args “-F” &
+—————————+
watchfor /Authentication failed for user/
exec “/usr/local/sbin/lockout $1 $2 $3 $4 $5 $6 $7 $8 $9 $10 $11 $12 $13 $14 $15″
+—————————+
#! /bin/bash
#
IP=`echo $* | awk ‘/Authentication failed/{sub(/(?@/,”");print $6}’ | sed ‘s/)//g’`
ATTEMPTS=`grep $IP /var/log/messages | grep “Authentication failed for user” | wc -l`

if [ $ATTEMPTS -gt 2 ]
then
route add $IP lo
MINUTES=`expr $ATTEMPTS – 2`
echo “route del $IP lo 2> /dev/null” | at now +$MINUTES minutes 2>&1 > /tmp/.pure-lockout.$$
(hostname ; echo $* ; echo “IP=$IP” ; echo “ATTEMPTS=$ATTEMPTS” ;
echo “Blocking for $MINUTES minutes” ;
cat /tmp/.pure-lockout.$$ ) | Mail -s “Lockout”
admin@example.com
fi

rm -f /tmp/.lockout.$$

By: Dave

Dave — Wed, 30 Jan 2008 13:45:48 +0000

DenyHosts works to block services using TCP Wrappers, such as SSH and FTP however services like Apache which do not use TCPWrappers would still allow that host to connect. Assuming that any IP performing brute force attacks on your system is malicious (I think that is safe to assume) – I would much rather block them from using all services rather than just services using TCP Wrappers. A Brute force attack may be an indication that someone is trying to find a way into your system, so in my opinion it is better to block them via Firewall (iptables) rather than TCP Wrappers.

By: Dave Drager

Dave Drager — Wed, 30 Jan 2008 13:45:00 +0000

By: Episkipos

Episkipos — Wed, 30 Jan 2008 12:33:31 +0000

How about denyhosts?

By: Episkipos

Episkipos — Wed, 30 Jan 2008 12:33:00 +0000

How about denyhosts?

By: systemBash » Analysis of a hacked machine

systemBash » Analysis of a hacked machine — Fri, 24 Aug 2007 18:20:19 +0000

[...] APF + BFD [...]

By: pierre

pierre — Tue, 13 Mar 2007 09:49:57 +0000

Thaks Fort the information !