Re: [UM-LINUX] Should I block Asian IP ranges?

Wed, 14 Sep 2005 19:25:40 -0700

Haven't tried it myself (and the discussion page seems to indicate that it is possibly buggy), but the Gentoo Wiki has information on a program called Swatch that will do exaclty that -- let you set a threshold for the number of possible bad logins and then reject that IP address. No guarantees it will work (as I haven't used it), but perhaps worth looking into.

http://gentoo-wiki.com/HOWTO_Protect_SSHD_with_Swatch

On 9/14/05, Michael Wasser < [EMAIL PROTECTED]> wrote:
Ah yeah, i actually tried john the ripper, but some of my users only
exist for a week or so, so its not exactly practical to run it every
time a new user is made.  But i do run it from time to time anyways.

Most of my authentication on my system is done via pam.  I was wondering
if there was a way to enforce stricter policys such locking IPs out for
a few hours at a time after 10 login failures in X amount of time or
something like that.  I have a fairly limited understanding of PAM and
how to configure it and dont know if this feasible.  Also I very vaguely
remember reading somewhere about automated IP blacklists of some sort: I
realize that this would only cover people with static IPs, but i was
thinking -- if they did exist -- somehow getting my firewall to use one
might be a step in the right direction.

Thanks for all the feedback,
Michael

Rob wrote:

>On Wed, Sep 14, 2005 at 10:32:59AM -0400, Don Schmadel wrote:
>
>
>>Several months ago my machine was compromised through ssh by a system in
>>the Netherlands. They gained access through a user with an easy password
>>and then used "su" along with an enormous list of password combinations
>>to get root access. Finally they installed a "root kit" which caused my
>>machine to attempt to compromise others.
>>
>>The only way to be safe is to:
>>
>>   1)carefully check your ssh config file to make sure that "admin",
>>"test",
>>       and similar users do not have access
>>
>>   2)use long (more than 8 characters), very random passwords. "root kits
>>       contain entire dictionaries which they use for sample passwords.
>>
>>   3)put any sensitive info on an encrypted partition and demount it
>>when you are not accessing it.
>>
>>With "root kits" attacks can come from your nearest neighbor, so
>>blocking is of little use.
>>
>>
>
>Something else that is useful is to regularly run John the Ripper
>(http://www.openwall.com/john/ ) or similar on your password file to
>make sure that users are picking good passwords.  Having poor passwords
>creates all kinds of problems (as I guess you found out ;-( ).
>
>- Rob
>.
>
>



--
Christopher Conroy

Reply via email to