Re: [PLUG] ssh brute force attacks & real time offending IP lists

Antony P Joseph on 25 Jul 2007 15:55:20 -0000

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] ssh brute force attacks & real time offending IP lists

From: Antony P Joseph <antony@panathara.org>

To: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>

Subject: Re: [PLUG] ssh brute force attacks & real time offending IP lists

Date: Wed, 25 Jul 2007 11:54:27 -0400

Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>

Sender: plug-bounces@lists.phillylinux.org

Hi How about using "port knocking" daemon knockd? http://www.zeroflux.org/cgi-bin/cvstrac.cgi/knock/wiki That way your ssh port will be closed until port knocking succeeds. With regards Antony On Wed, 2007-07-25 at 10:59 -0400, LeRoy Cressy wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Mark Baker wrote: > > Hi Guys, > > > > > > > > I am in the middle of writing a script that takes the ip addresses that > > are trying to brute force access to my servers, as detected by the > > sshdfilter script, and âshunsâ them on my Cisco firewall. I was > > contemplating appending the ip addresses to an html page in real time > > and was wondering if anyone else would be interested in the data? > > > > Why not setup your firewall to only allow ssh from known locations. I > realize that this approach makes it virtually impossible to login while > on a trip, but it works for me. > > Here is a portion of my iptables script on a unixshell account: > Pardon the line breaks :-) > > if iptables -A block -m state --state NEW,ESTABLISHED,RELATED -p tcp -i > eth0 --dport 22 -s $SSH_IP0 -j ACCEPT; the > say_it "Port 22 ssh login requests from $SSH_IP0 accepted"; ok; > else > say_it "Port 22 ssh login requests from $SSH_IP0 accepted"; failed; > fi > > if iptables -A block -m state --state NEW,ESTABLISHED,RELATED -p tcp -i > eth0 --dport 22 -s $SSH_IP1 -m limit --lim > say_it "Port 22 ssh login requests from $SSH_IP1 logging"; ok > else > say_it "Port 22 ssh login requests from $SSH_IP1 logging"; failed; > fi > > if iptables -A block -m state --state NEW,ESTABLISHED,RELATED -p tcp -i > eth0 --dport 22 -s $SSH_IP1 -j ACCEPT; the > say_it "Port 22 ssh login requests from $SSH_IP1 accepted"; ok > else > say_it "Port 22 ssh login requests from $SSH_IP1 accepted"; failed; > fi > > > > > > > > I would also be interested in receiving data from other users of PLUG on > > who is attacking their networks so that I can proactively block them > > from mine before they have a chance to cause trouble. What do you guys > > think about this? Is it worth the trouble or would it cause problems > > that I am not seeing? I suppose if someone maliciously posted AOL proxy > > ip or another like that it would cause problems. > > > > > > > > I was also wondering if any of you are blocking the ip classes of china > > and other countries where it seams most of these attacks are > > originating. I am receiving these Ssh brute force attacks at an > > increasing rate, several a night, and am just looking for ways to be > > proactive and not reactive to each attack. > > > > > > > > Thanks, > > - -- > Rev. LeRoy D. Cressy mailto:leroy@lrcressy.com /\_/\ > http://lrcressy.com ( o.o ) > Phone: 215-535-4037 > ^ < > > gpg fingerprint: 62DE 6CAB CEE1 B1B3 359A 81D8 3FEF E6DA 8501 AFEA > > For info on enigmail: http://lrcressy.com/linux/mozilla.pdf > For info on gpg: http://www.gnupg.org/ > > Jesus saith unto him, I am the way, the truth, and the life: > no man cometh unto the Father, but by me. (John 14:6) > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iQIVAwUBRqdlTnlsxrSGsIsqAQh74BAAraSzttBB+hH/8Xliac+3Eg11bVSbIAS+ > PI4jbWAQhweQC1LU7XdO1ui69Hxj3QXRbtLc3nLXi9iqDxYbZLI2ETSrZRIY1AUM > LGK6DLoyJFl/6uy4dYMgovrP/gBKFvlJhp+vA8ee/00fTg2H7gWmjNaQMo8afzpn > Tv2bUY28fDinn6cau6fNnyp2vWWGXHU5euRTpOUXEiYn3/EfO7TIoZa/qCQIeYe/ > zBxB8sjw3GQvsnCZLi8BJLgybRR35NbtF3jiRckSp/ivRgD1TVzW7b0CvOI8FmFN > +jTeYIxrxUohPki/wEWM35pSVykwBXTZk68uPFdOaIyBie//gT9xFwTLxpKcE7aF > eIPx90ZSVxrqPeqI3sRm389Oqmg7+ec1LnXuICSAKcVElEKshYhRJPxmpnatJOUs > rWvhqimWLcPsPPZu5v4nvqAbI8Px1XOmZX6gLWpiG1ZSFDwdqIA6XXH+yNsSBLJG > CZagcbMW70+zNLvarpInS+eIxWidjSK4Uc3dCzyZ73AWXqQ/XuggNn1rZV+56Ang > iPTyjMY4+Cn13JWIXdi1bqINWcwXnZQ40yLW+b0uBwsovxtvGaSffWVBJygSf9Uv > l7MM5rO61fD6b4+u9QFBVua0AbZkQAE9APbKVmhRZV2OnORqi/WYYb2QcwsFvP+a > YyyjvwhJ4Z4= > =NuxB > -----END PGP SIGNATURE----- > ___________________________________________________________________________ > Philadelphia Linux Users Group -- http://www.phillylinux.org > Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce > General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug

References:

[PLUG] ssh brute force attacks & real time offending IP lists
From: "Mark Baker" <mark.baker@hxti.com>

Re: [PLUG] ssh brute force attacks & real time offending IP lists
From: LeRoy Cressy <ldc@lrcressy.com>

Prev by Date: Re: [PLUG] ssh brute force attacks & real time offending IP lists

Next by Date: Re: [PLUG] adding files to iso image

Previous by thread: Re: [PLUG] ssh brute force attacks & real time offending IP lists

Next by thread: Re: [PLUG] ssh brute force attacks & real time offending IP lists

Index(es):

Date

Thread