On Tue, Apr 19, 2005 at 11:20:01AM +0200, Gottfried Szing wrote: > hi guys, > > last week was a discussion on this list about ssh scans and almost > everyone (including me) is ignoring the script kiddies. > > but i was thinking about this problem and came up with the (not new, i > know) idea to block IPs from which subsequent failed login attempts came > for about an hour or so. i played around with several tools but none of > them did exactly what i wanted. > > what i want to achieve is to detect failed logins via SSH (e.g. with a > limit of 3 attempts within one minute) and to drop/deny packages from the > source IP via iptables for about one hour. > > because i dont start sshd via a tcp-wrapper (various reasons for this) and > my sshd ignores the hosts.deny/hosts.allow files, i cannot add the source > IPs which i want to block into one of these files. this also wouldnt solve > the problem with the expiration of the rules. > > does somebody of you have a better idea for this? maybe calling an script > which adds an iptables rule with an expiration?
I have done something on the simplier side, scan the syslog on the hour and find these attempts and then find their ip address (using awk & grep - you could probably extend this to say allow for 2-3 attempts instead of one) then I have a iptables chain called blocked which tarpits all ip address in the list, this chain is called as the first line of INPUT, FORWARD. This way bad address stay on the blocked list for about 24 hours. > > thanks, gottfried > > -- > SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ > Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html >
signature.asc
Description: Digital signature
-- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
