Gentoo Archives: gentoo-security

From: Andreas Waschbuesch <awaschb@××××.de>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] [OT?] automatically firewalling off IPs
Date: Mon, 31 Oct 2011 03:55:50
In Reply to: [gentoo-security] [OT?] automatically firewalling off IPs by Jeremy Brake
You wrote:
> Hey all, > > I'm looking for an app/script which can monitor for failed ssh logins, > and block using IPTables for $time after $number of failed logins (an > exclusion list would be handy as well) so that I can put a quick stop > to these niggly brute-force ssh "attacks" I seem to be getting more and > more often. > > Anyone have any ideas? > > Thanks, Jeremy B
It's a bad idea trying to automatically drop any $EVILATTEMPT imho, because worst case scenario would be excluding valid users from dynIP-ascends / dialup users. One could even try to DOS You by faking source IPs etc. A better strategy would be 1.) disabling root-access in sshd-conf and defining valid users. (General advise.) 2.) setting up a "bastion host" (preferably minimal installation, as "naked" as "stripped down" could be). To minimize single point of failure risks one could add / use some more hosts, preferably in different subnets. 3.) giving that host/those hosts exclusive access to sshd via hosts.access while denying everbody else via hosts.deny. No automatisms, plain simple, predictible - while "intransparent" enough for the $EVILGUYS. -- Andreas Waschbuesch, GAUniversity KG MA FNZ FK01 eMail: awaschb@××××.de -- gentoo-security@g.o mailing list