Thanks Samer, I'll have a go with some of the suggestions when I get to the
server.
Regards,
Mike B
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Samer Y. Azmy
Sent: Tuesday, 16 October 2007 5:16 PM
To: Shorewall Users
Subject: Re: [Shorewall-users] Limiting SSH Loginattemps
Sorry for the multiple post
I wrote on ssh and brute force on my blog, and I think that we may further
discuss it so people learn from you all
blog link :
http://geek2live.blogspot.com/2007/10/secure-ssh-against-brute-force.html
Regards
Samer Azmy
________________________________
From: [EMAIL PROTECTED]
To: shorewall-users@lists.sourceforge.net
Date: Tue, 16 Oct 2007 09:05:26 +0000
Subject: Re: [Shorewall-users] Limiting SSH Loginattemps
I think that you can try
Options like these help (in /etc/sshd_config):
MaxAuthTries 4
MaxStartups 1:3:6
still you can use one of the below options
BlockHosts
BlockHosts <http://www.aczoom.com/cms/blockhosts/> , is a script written in
Python, is easier to set up, maintain, and configure. The idea behind
BlockHosts is to continuously scan a syslog file for SSHD failed login
attempts, and add the IP addresses listed there (after a predetermined number
of attempts have been exceeded) to the system's /etc/hosts.deny file -- a
different approach from that of Daemon Shield, which uses iptables to block
connection attempts.
After installing the software, run the included setup script (as described in
the INSTALL file). The setup script copies and installs all of the necessary
BlockHosts files to their proper locations:
python setup.py install -force
Once you have the BlockHosts script installed, begin configuration by editing
the /etc/blockhosts.cfg file. BlockHosts comes with a default configuration
file with all options commented out. Edit this file and uncomment each line
suitable for your installation. All of the options are well-documented in the
comments, and can be uncommented by removing the "#" at the beginning of each
line.
Once your configuration file is ready, the next step is to prepare the
/etc/hosts.deny (or /etc/hosts.allow, depending on your installation) for
BlockHosts by copying the following lines (in their entirety) to your
hosts.{deny|allow} file:
#---- BlockHosts Additions
#---- BlockHosts Additions
sshd:ALL:spawn (/usr/bin/blockhosts.py --verbose >> /var/log/blockhosts.log
2>&1 )&:allow
proftpd:ALL: spawn (/usr/bin/blockhosts.py --verbose >> /var/log/blockhosts.log
2>&1 )&:allow
These instructions tell the system to automatically run (spawn) the BlockHosts
script (/usr/bin/blockhosts.py) each time a user attempts to connect to your
system via either SSH or ProFTP. The script will then determine if the
connecting host should be allowed access or be blocked.
Once you have completed these steps, can begin watching for dictionary attacks.
Each blocked address will be added to your hosts.{deny|allow} file and
prevented from accessing your machine for the specified length of time
(specified by AGE_THRESHOLD in the /etc/blockhosts.cfg file).
sshdfilter
sshdfilter <http://www.csc.liv.ac.uk/%7Egreg/sshdfilter/> , which blocks
dictionary attackers using iptables, and is very efficient in how it detects
them. The sshdfilter script starts the SSHD service itself, and instructs SSHD
to output all log details to stdout (which is then captured by sshdfilter). In
this way, the script can detect attacks as they happen, in real time, and
significantly reduces the overhead involved in searching for offenders.
Unfortunately, the sshdfilter script is more complex to set up and install than
the Daemon Shield software, partly because the author has made
distribution-specific installation files that failed for my (non-included)
Mandriva system. Out-of-the-box configurations include Red Hat 7.3 and 9.0,
Fedora Core 3, and Debian 3.1. Details exist for users who want to attempt an
install on an unsupported system, though they appear to be highly
platform-specific.
Employing the basic practices and scripts above, you can harden your Linux
machine against many of the dictionary SSH attacks that plague Linux systems
today. Keeping your system's software up to date goes a long way toward
protecting yourself against many common security vulnerabilities that automated
scripts attempt to take advantage of. Don't let your system be the jumping-off
point for spam, additional system attacks, or even blackmail -- protect
yourself with these practices today.
> Date: Mon, 15 Oct 2007 18:59:10 +0100
> To: shorewall-users@lists.sourceforge.net
> From: [EMAIL PROTECTED]
> Subject: Re: [Shorewall-users] Limiting SSH Loginattemps
>
> Chuck Kollars wrote:
>
> >The first thing I do is make sure my network is _not_
> >pingable from the Internet. If you "pong", they know
> >you exist, and they'll start hunting for your SSHD.
>
> My 2d worth, disabling Ping doesn't make the machine much harder to
> find, and it makes diagnosing problems much harder - in other words,
> IMHO speaking as a networking guy that regularly has to diagnose
> problems AND as a sysadmin, disabling Ping does at least as much harm
> as it does good.
>
> YMMV, that's my opinion.
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems? Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
________________________________
Help yourself to FREE treats served up daily at the Messenger Café. Stop by
today!
<http://www.cafemessenger.com/info/info_sweetstuff2.html?ocid=TXT_TAGLM_OctWLtagline>
________________________________
Peek-a-boo FREE Tricks & Treats for You! Get 'em!
<http://www.reallivemoms.com?ocid=TXT_TAGHM&loc=us>
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
