MaxieZ said:
> On Mon, Oct 03, 2005 at 10:10:16AM +1300, Jeremy Brake wrote:
>> Hey all,
>>
>> I'm looking for an app/script which can monitor for failed ssh logins,
>> and block using IPTables for $time after $number of failed logins (an
>> exclusion list would be handy as well) so that I can put a quick stop to
>> these niggly brute-force ssh "attacks" I seem to be getting more and
>> more often.
>
> http://kodu.neti.ee/~risto/sec/
>
> or change ports
Changing ports does a wonderful job of cutting down on spurious connects.
Going one tiny step further, I like to know if anyone has ever connected
to my sshd. So I do the following:
1. Set loglevel for sshd to verbose
2. cron a connect report to run once an hour. This tells me the IP and
reverse IP address of every host to do a full connect. AFAIK, a full
connect would be necessary to see the banner and identify the port as
running sshd.
My connect-report script is as follows:
echo "Remote SSH Connection report for $HOSTNAME"
echo "------------------------------------------"
echo
egrep "Connection from" < /var/log/auth.log | egrep -o
[0-9]+[.][0-9]+[.][0-9]+[.][0-9]+ | sort | uniq | /root/bin/phost
The above script relies on phost; a small helper script (because I
couldn't stand to spend more than 5 minutes trying to figure out which IP
lookups would accept input from stdin):
#!/usr/bin/perl
while (<STDIN>) {
$output = `host $_`;
print $output;
}
I have never seen a connect from an IP I didn't expect, and if I ever do,
I can just move sshd to another port if I am feeling excessively paranoid.
--
[email protected] mailing list
