Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-security@g.o
From: "J Holder" <trs-gml@...>
Subject: Re: [OT?] automatically firewalling off IPs
Date: Sun, 2 Oct 2005 17:29:06 -0500 (CDT)
MaxieZ said:
> On Mon, Oct 03, 2005 at 10:10:16AM +1300, Jeremy Brake wrote:
>> Hey all,
>>
>> I'm looking for an app/script which can monitor for failed ssh logins,
>> and block using IPTables for $time after $number of failed logins (an
>> exclusion list would be handy as well) so that I can put a quick stop to
>> these niggly brute-force ssh "attacks" I seem to be getting more and
>> more often.
>
> http://kodu.neti.ee/~risto/sec/
>
> or change ports

Changing ports does a wonderful job of cutting down on spurious connects. 
Going one tiny step further, I like to know if anyone has ever connected
to my sshd.  So I do the following:

1. Set loglevel for sshd to verbose
2. cron a connect report to run once an hour.  This tells me the IP and
reverse IP address of every host to do a full connect.  AFAIK, a full
connect would be necessary to see the banner and identify the port as
running sshd.

My connect-report script is as follows:
echo "Remote SSH Connection report for $HOSTNAME"
echo "------------------------------------------"
echo
egrep "Connection from" < /var/log/auth.log | egrep -o
[0-9]+[.][0-9]+[.][0-9]+[.][0-9]+ | sort | uniq | /root/bin/phost

The above script relies on phost; a small helper script (because I
couldn't stand to spend more than 5 minutes trying to figure out which IP
lookups would accept input from stdin):
#!/usr/bin/perl
while (<STDIN>) {
  $output = `host $_`;
    print $output;
}

I have never seen a connect from an IP I didn't expect, and if I ever do,
I can just move sshd to another port if I am feeling excessively paranoid.


-- 
gentoo-security@g.o mailing list


Replies:
Re: [OT?] automatically firewalling off IPs
-- Brian Micek
References:
[OT?] automatically firewalling off IPs
-- Jeremy Brake
Re: [OT?] automatically firewalling off IPs
-- MaxieZ
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: [OT?] automatically firewalling off IPs
Next by thread:
Re: [OT?] automatically firewalling off IPs
Previous by date:
Re: [OT?] automatically firewalling off IPs
Next by date:
Jason D'silva is out of the office.


Updated Oct 31, 2011

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.