Comments on: Block brute force password attempts via SSH http://systembash.com/content/block-brute-force-ssh/ Technology and System Administration Fri, 12 Mar 2010 08:32:56 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: SSH http://systembash.com/content/block-brute-force-ssh/comment-page-1/#comment-22407 SSH Mon, 10 Nov 2008 22:07:29 +0000 http://systembash.com/content/block-brute-force-ssh/#comment-22407 sudo iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH sudo iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP and off he goes :) sudo iptables -A INPUT -i eth0 -p tcp –dport 22 -m state –state NEW -m recent –set –name SSH
sudo iptables -A INPUT -i eth0 -p tcp –dport 22 -m state –state NEW -m recent –update –seconds 60 –hitcount 8 –rttl –name SSH -j DROP

and off he goes :)

]]> By: Episkipos http://systembash.com/content/block-brute-force-ssh/comment-page-1/#comment-5849 Episkipos Fri, 01 Feb 2008 12:49:21 +0000 http://systembash.com/content/block-brute-force-ssh/#comment-5849 OK. How about the following as another viable alternative: +---------------------------+ /usr/bin/swatch --config-file=/etc/swatchrc --tail-file=/var/log/messages \ --awk-field-syntax --tail-args "-F" & +---------------------------+ watchfor /Authentication failed for user/ exec "/usr/local/sbin/lockout $1 $2 $3 $4 $5 $6 $7 $8 $9 $10 $11 $12 $13 $14 $15" +---------------------------+ #! /bin/bash # IP=`echo $* | awk '/Authentication failed/{sub(/\(\?@/,"");print $6}' | sed 's/)//g'` ATTEMPTS=`grep $IP /var/log/messages | grep "Authentication failed for user" | wc -l` if [ $ATTEMPTS -gt 2 ] then route add $IP lo MINUTES=`expr $ATTEMPTS - 2` echo "route del $IP lo 2> /dev/null" | at now +$MINUTES minutes 2>&1 > /tmp/.pure-lockout.$$ (hostname ; echo $* ; echo "IP=$IP" ; echo "ATTEMPTS=$ATTEMPTS" ; \ echo "Blocking for $MINUTES minutes" ; \ cat /tmp/.pure-lockout.$$ ) | Mail -s "Lockout" admin@example.com fi rm -f /tmp/.lockout.$$ OK. How about the following as another viable alternative:
+—————————+
/usr/bin/swatch –config-file=/etc/swatchrc –tail-file=/var/log/messages \
–awk-field-syntax –tail-args “-F” &
+—————————+
watchfor /Authentication failed for user/
exec “/usr/local/sbin/lockout $1 $2 $3 $4 $5 $6 $7 $8 $9 $10 $11 $12 $13 $14 $15″
+—————————+
#! /bin/bash
#
IP=`echo $* | awk ‘/Authentication failed/{sub(/\(\?@/,”");print $6}’ | sed ’s/)//g’`
ATTEMPTS=`grep $IP /var/log/messages | grep “Authentication failed for user” | wc -l`

if [ $ATTEMPTS -gt 2 ]
then
route add $IP lo
MINUTES=`expr $ATTEMPTS – 2`
echo “route del $IP lo 2> /dev/null” | at now +$MINUTES minutes 2>&1 > /tmp/.pure-lockout.$$
(hostname ; echo $* ; echo “IP=$IP” ; echo “ATTEMPTS=$ATTEMPTS” ; \
echo “Blocking for $MINUTES minutes” ; \
cat /tmp/.pure-lockout.$$ ) | Mail -s “Lockout”
admin@example.com
fi

rm -f /tmp/.lockout.$$

]]> By: Dave http://systembash.com/content/block-brute-force-ssh/comment-page-1/#comment-5806 Dave Wed, 30 Jan 2008 13:45:48 +0000 http://systembash.com/content/block-brute-force-ssh/#comment-5806 DenyHosts works to block services using TCP Wrappers, such as SSH and FTP however services like Apache which do not use TCPWrappers would still allow that host to connect. Assuming that any IP performing brute force attacks on your system is malicious (I think that is safe to assume) - I would much rather block them from using all services rather than just services using TCP Wrappers. A Brute force attack may be an indication that someone is trying to find a way into your system, so in my opinion it is better to block them via Firewall (iptables) rather than TCP Wrappers. DenyHosts works to block services using TCP Wrappers, such as SSH and FTP however services like Apache which do not use TCPWrappers would still allow that host to connect. Assuming that any IP performing brute force attacks on your system is malicious (I think that is safe to assume) – I would much rather block them from using all services rather than just services using TCP Wrappers. A Brute force attack may be an indication that someone is trying to find a way into your system, so in my opinion it is better to block them via Firewall (iptables) rather than TCP Wrappers.

]]> By: Episkipos http://systembash.com/content/block-brute-force-ssh/comment-page-1/#comment-5803 Episkipos Wed, 30 Jan 2008 12:33:31 +0000 http://systembash.com/content/block-brute-force-ssh/#comment-5803 How about denyhosts? How about denyhosts?

]]> By: systemBash » Analysis of a hacked machine http://systembash.com/content/block-brute-force-ssh/comment-page-1/#comment-3656 systemBash » Analysis of a hacked machine Fri, 24 Aug 2007 18:20:19 +0000 http://systembash.com/content/block-brute-force-ssh/#comment-3656 [...] APF + BFD [...] [...] APF + BFD [...]

]]> By: pierre http://systembash.com/content/block-brute-force-ssh/comment-page-1/#comment-101 pierre Tue, 13 Mar 2007 09:49:57 +0000 http://systembash.com/content/block-brute-force-ssh/#comment-101 Thaks Fort the information ! Thaks Fort the information !

]]> By: ssh pest control « 0ddn1x: a minimalist’s medley http://systembash.com/content/block-brute-force-ssh/comment-page-1/#comment-13 ssh pest control « 0ddn1x: a minimalist’s medley Sat, 14 Oct 2006 16:35:14 +0000 http://systembash.com/content/block-brute-force-ssh/#comment-13 [...] http://systembash.com/content/block-brute-force-ssh/ [...] [...] http://systembash.com/content/block-brute-force-ssh/ [...]

]]>