Joey Kelly <joey@joeykelly.net> writes:
> I ran across a bit of iptables that claims to slow down the ssh dictionary
> attacks we've all been seeing in our logs. Anyone care to analyse this?
I looked at this a number of months ago and came up with a different
idea. I use a script that monitors /var/log/auth.log for a series of
"Authentication denied" messages and adds hosts to /etc/hosts.deny.
My inspiration was a script to add attackers to openbsd's firewall.
The problem with that is that every *nix has a different firewall rule
syntax and ssh may be being passed through to NATted hosts behind the
firewall. tcp wrappers is ubiquitous and the ssh attack is pretty
dumb so adding infected attackers to hosts_deny struck me as a good
solution.
The script may need a little tweaking for different environments but
it's pretty simple stuff. You can find it at
http://www.scottharney.com/blog/Computers/Security/#ssh_blocker_wrap-sh.html
. Incidentally, another fella came up with a similar idea and has his
python script at http://denyhosts.sourceforge.net.
-- Scott Harney <scotth@scottharney.com> "Asking the wrong questions is the leading cause of wrong answers" gpg key fingerprint=7125 0BD3 8EC4 08D7 321D CEE9 F024 7DA6 0BC7 94E5 ___________________ Nolug mailing list nolug@nolug.orgReceived on 07/17/05
This archive was generated by hypermail 2.2.0 : 12/19/08 EST