--
No trees were harmed in the transmission of this message, however a large number
of electrons were seriously inconvenienced.
Quoting Shawn <[EMAIL PROTECTED]>:
Hi all.
I have a server running SSH, and am noticing a lot of attempts to log in from a few specific IP addresses. I know these addresses are not authorized attempts, and recognize them as a scripted probe. But, I'd like to block these attempts at the firewall if I can. The downside is that I can't just create a forwarding rule for a specific IP addresses. The authorized people are mobile, and will be connecting from a number of different/random IP addresses - but they won't be failing a bunch of types in less than a few minutes...
Look at your pam options. There is a bunch of options available to you with the
libpam-cracklib (apt-get install libpam-cracklib in debian). I would suggest
enforcing strong passwords and a retry of 3. Somewhere is /etc/pam.d (assuming
/etc/ssh/sshd_config has "UsePAM yes".
Using ssh keys is also not "the" answer because you must trust your clients (whoever is connecting) to keep these keys secure. I know of a few people who have been compromised in this fashion.
If the remote users are using sftp and do not need shell access, there are chrootable sftp only packages out there (rssh and scponly off the top of my head, I could be wrong)
So, I thought about building a banned list of IPs, but the GUI for IPCop doesn't seem to support this. I also have tried to update the Snort rules, but these seem to be allowing the attacks through still. I would prefer an IDS rule that can recognize these attacks and block them, but I don't know snort that well... Failing that, I'm trying to figure out the "right" way to build a banned list.
The answer to this question is probably distro/tool specific. My firewall
package (gshield) has a built in function for building ban lists (and a text
file I can append to). I have used portsentry in the past to automatically add
iptables drop rules as it detects port scans (this won't catch brute force
attacks on a single service since portsentry excludes listening service ports).
I too have noticed a large increase in these ssh attacks as of late.
In addition to an ssh presentation, might I also suggest the O'Reilly SSH book. I have lent my copy out and not seen it since, but it was a very good resource.
--------------------------------------------------- This message was sent using Echostar Secure Webmail
_______________________________________________ clug-talk mailing list [email protected] http://clug.ca/mailman/listinfo/clug-talk_clug.ca Mailing List Guidelines (http://clug.ca/ml_guidelines.php) **Please remove these lines when replying
