Re: [Nolug] blocking SSH

From: Randy Flood <stock_investor_guy_at_yahoo.com>
Date: Sun, 5 Sep 2004 10:07:29 -0700 (PDT)
Message-ID: <20040905170730.32235.qmail@web40110.mail.yahoo.com>

I remember seeing a tool (I can't think of it off the
top of my head, but it will come to me. Perhaps
someone else will see my description and know the name
of it) that when it sees connections to services that
you are NOT running automatically would configure
rules in /etc/hosts.deny to completely deny access to
that IP to everything. It might have even set of ip
chains or ip tables to drop all packets from them. I
think it was called port sentry or somethig like that.
 Anyway, by moving ssh to a non standard port, and
using port sentry, you could possibly do something
like you are talking about.

Randy

--- Jesse Planck <jesse.planck@gmail.com> wrote:

> Wow! That's a huge number of probes!
>
> I know you can use the standard hosts.allow /
> hosts.deny access control.
>
> # /etc/hosts.allow
>
> sshd : 10.40. : allow
>
> # /etc/hosts.deny
>
> sshd : ALL : deny
>
> I wonder if you could use PAM to create a rule that
> would ban like
> what you are asking. I think there are also some
> configuration
> settings with sshd itself that you may look at.
>
> Jess
>
> On Sun, 5 Sep 2004 12:28:20 -0400 (EDT), Petri
> Laihonen
> <pietu@weblizards.net> wrote:
> > This is an excerpt of my logwatch report from
> yesterday.
> > !Note the line "root (61.8.206.67): 436 Time(s)"
> >
> > sshd:
> > Invalid Users:
> > Unknown Account: 22 Time(s)
> > Authentication Failures:
> > unknown (s217-115-138-105.colo.hosteurope.de
> ): 6 Time(s)
> > unknown (61.8.206.67 ): 9 Time(s)
> > unknown (210.101.248.112 ): 6 Time(s)
> > unknown (216.195.44.86 ): 1 Time(s)
> > root (61.8.206.67 ): 436 Time(s)
> > root (s217-115-138-105.colo.hosteurope.de ):
> 3 Time(s)
> > root (210.101.248.112 ): 3 Time(s)
> >
> > Is there a way to completely block access to the
> server from the offending
> > IP, lets say..... after 3 authentication
> failures?
> >
> > Pietu
> > ___________________
> > Nolug mailing list
> > nolug@nolug.org
> >
> ___________________
> Nolug mailing list
> nolug@nolug.org
>

=====
------------------------------------------------------
Randy Flood
Randy.Flood@RHCE2B.COM
http://www.rhce2b.com
------------------------------------------------------

                
_______________________________
Do you Yahoo!?
Win 1 of 4,000 free domain names from Yahoo! Enter now.
http://promotions.yahoo.com/goldrush
___________________
Nolug mailing list
nolug@nolug.org
Received on 09/05/04

This archive was generated by hypermail 2.2.0 : 12/19/08 EST