FW: [clug] SSH attack

[Russell Zweck]

Steve Walsh wrote:

>Or, you could set up a small script to parse the log files every hour (or
>minute or what ever time frame suits you) and then output the result of
>multiple appearances of an IP into the hosts.deny file. Mind you, for this
>to work, you need to be running TCP wrappers, but then if a machine is on
>the big bad net and not running TCP wrapper ...I don't want to thing about
>that.
>
>
>Steve.
>  
>

As usual for many problems, someone has already created a script that 
does what you probably want.  It's a perl script that checks the sshd 
logs and stops further logins after a number of failed ssh login 
attempts from that server for a period of time which you can nominate.  
See the link for further info.

http://www.lumiere.net/~j/login_sentry/

Russell.

>-----Original Message-----
>From:
>Andrew Pollock
>Sent: Tuesday, 26 July 2005 10:12 AM
>To: Steve Jenkin
>Cc: CLUG List
>Subject: Re: [clug] SSH attack
>
>
>On Mon, Jul 25, 2005 at 11:51:22PM +1000, Steve Jenkin wrote:
>  
>
>>Tonight I noticed lots of inbound network activity to an unused host: I
>>mapped SSH through the firewall to it.
>>
>>First event in log:
>>Jun 30 22:58:42 cdr sshd[3536]: Illegal user test from 66.235.160.30
>>Jun 30 22:58:45 cdr sshd[3536]: Failed password for illegal user test
>>from 66.235.160.30 port 60518 ssh2
>>
>>Could this explain the compromise someone on the list saw recently.
>>    
>>
>
>I use Netfilter to slow these down a bit. The attacks are always impatient,
>and that is usually their downfall.
>
>http://blog.andrew.net.au/2005/02/17#ipt_recent_and_ssh_attacks
>
>There can be a bit of collateral damage with these rules and legitimate SSH
>connections originating from lossy networks, so judicious use of
>whitelisting is advised.
>
>I find this greatly reduces the noise in the logs without needing to filter
>it out altogether.
>
> regards
>
> Andrew
>--
>linux mailing list
>linux at lists.samba.org
>https://lists.samba.org/mailman/listinfo/linux
>
>  
>