|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
Re: [PLUG] ssh brute force attacks & real time offending IP lists
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Mark Baker wrote:
> Hi Guys,
>
>
>
> I am in the middle of writing a script that takes the ip addresses that
> are trying to brute force access to my servers, as detected by the
> sshdfilter script, and âshunsâ them on my Cisco firewall. I was
> contemplating appending the ip addresses to an html page in real time
> and was wondering if anyone else would be interested in the data?
>
Why not setup your firewall to only allow ssh from known locations. I
realize that this approach makes it virtually impossible to login while
on a trip, but it works for me.
Here is a portion of my iptables script on a unixshell account:
Pardon the line breaks :-)
if iptables -A block -m state --state NEW,ESTABLISHED,RELATED -p tcp -i
eth0 --dport 22 -s $SSH_IP0 -j ACCEPT; the
say_it "Port 22 ssh login requests from $SSH_IP0 accepted"; ok;
else
say_it "Port 22 ssh login requests from $SSH_IP0 accepted"; failed;
fi
if iptables -A block -m state --state NEW,ESTABLISHED,RELATED -p tcp -i
eth0 --dport 22 -s $SSH_IP1 -m limit --lim
say_it "Port 22 ssh login requests from $SSH_IP1 logging"; ok
else
say_it "Port 22 ssh login requests from $SSH_IP1 logging"; failed;
fi
if iptables -A block -m state --state NEW,ESTABLISHED,RELATED -p tcp -i
eth0 --dport 22 -s $SSH_IP1 -j ACCEPT; the
say_it "Port 22 ssh login requests from $SSH_IP1 accepted"; ok
else
say_it "Port 22 ssh login requests from $SSH_IP1 accepted"; failed;
fi
>
>
> I would also be interested in receiving data from other users of PLUG on
> who is attacking their networks so that I can proactively block them
> from mine before they have a chance to cause trouble. What do you guys
> think about this? Is it worth the trouble or would it cause problems
> that I am not seeing? I suppose if someone maliciously posted AOL proxy
> ip or another like that it would cause problems.
>
>
>
> I was also wondering if any of you are blocking the ip classes of china
> and other countries where it seams most of these attacks are
> originating. I am receiving these Ssh brute force attacks at an
> increasing rate, several a night, and am just looking for ways to be
> proactive and not reactive to each attack.
>
>
>
> Thanks,
- --
Rev. LeRoy D. Cressy mailto:leroy@lrcressy.com /\_/\
http://lrcressy.com ( o.o )
Phone: 215-535-4037 > ^ <
gpg fingerprint: 62DE 6CAB CEE1 B1B3 359A 81D8 3FEF E6DA 8501 AFEA
For info on enigmail: http://lrcressy.com/linux/mozilla.pdf
For info on gpg: http://www.gnupg.org/
Jesus saith unto him, I am the way, the truth, and the life:
no man cometh unto the Father, but by me. (John 14:6)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQIVAwUBRqdlTnlsxrSGsIsqAQh74BAAraSzttBB+hH/8Xliac+3Eg11bVSbIAS+
PI4jbWAQhweQC1LU7XdO1ui69Hxj3QXRbtLc3nLXi9iqDxYbZLI2ETSrZRIY1AUM
LGK6DLoyJFl/6uy4dYMgovrP/gBKFvlJhp+vA8ee/00fTg2H7gWmjNaQMo8afzpn
Tv2bUY28fDinn6cau6fNnyp2vWWGXHU5euRTpOUXEiYn3/EfO7TIoZa/qCQIeYe/
zBxB8sjw3GQvsnCZLi8BJLgybRR35NbtF3jiRckSp/ivRgD1TVzW7b0CvOI8FmFN
+jTeYIxrxUohPki/wEWM35pSVykwBXTZk68uPFdOaIyBie//gT9xFwTLxpKcE7aF
eIPx90ZSVxrqPeqI3sRm389Oqmg7+ec1LnXuICSAKcVElEKshYhRJPxmpnatJOUs
rWvhqimWLcPsPPZu5v4nvqAbI8Px1XOmZX6gLWpiG1ZSFDwdqIA6XXH+yNsSBLJG
CZagcbMW70+zNLvarpInS+eIxWidjSK4Uc3dCzyZ73AWXqQ/XuggNn1rZV+56Ang
iPTyjMY4+Cn13JWIXdi1bqINWcwXnZQ40yLW+b0uBwsovxtvGaSffWVBJygSf9Uv
l7MM5rO61fD6b4+u9QFBVua0AbZkQAE9APbKVmhRZV2OnORqi/WYYb2QcwsFvP+a
YyyjvwhJ4Z4=
=NuxB
-----END PGP SIGNATURE-----
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|