Re: [Nolug] blocking SSH

From: Jesse Planck <jesse.planck_at_gmail.com>
Date: Sun, 5 Sep 2004 16:10:19 -0500
Message-ID: <c141e08604090514103ab8b036@mail.gmail.com>

I've been seeing suspicious ssh brute force attacks since around March
I think. They really got massive around mid July and have leveled off
a bit since then. If you look around you will find several reports
about it. This attack almost seems personal... or if root log in is
allowed with sshd then maybe the attack program detects that and hits
it really hard.

Of course why build a brute force attack program when you can just cut
and paste one - http://neworder.box.sk/explread.php?newsid=12160

Isn't the other option to get dirty with writing snort rules? I've
tested simple detection and reporting with snort, but I've never tried
to get to take action.

jess

On Sun, 05 Sep 2004 14:04:51 -0400, Mark A. Hershberger
<mah@everybody.org> wrote:
> "Petri Laihonen" <pietu@weblizards.net> writes:
>
> > Is there a way to completely block access to the server from the offending
> > IP, lets say..... after 3 authentication failures?
>
> I don't know of a tool that will do this, but I've been thinking of
> writing a tool that will watch logfiles and block IP addresses when
> it sees suspicious activity. For example, I'm getting these root
> probes on ssh as well as regular probes on Apache for FrontPage
> vulnerabilities and the like.
>
> It'd be nice to block IPs that generate these probes. I use
> portsentry for un-used ports, but it is no good on used ports.
>
>
>
> Mark.
>
> --
> A choice between one man and a shovel, or a dozen men with teaspoons
> is clear to me, and I'm sure it is clear to you also.
> -- Zimran Ahmed <http://www.winterspeak.com/>
>
>
>
>
___________________
Nolug mailing list
nolug@nolug.org
Received on 09/05/04

This archive was generated by hypermail 2.2.0 : 12/19/08 EST