Gentoo Archives: gentoo-security

From: Andreas Waschbuesch <awaschb@××××.de>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] [OT?] automatically firewalling off IPs
Date: Mon, 31 Oct 2011 03:55:50
Message-Id: 200510022357.14312.awaschb@gwdg.de
In Reply to: [gentoo-security] [OT?] automatically firewalling off IPs by Jeremy Brake
1 You wrote:
2 > Hey all,
3 >
4 > I'm looking for an app/script which can monitor for failed ssh logins,
5 > and block using IPTables for $time after $number of failed logins (an
6 > exclusion list would be handy as well) so that I can put a quick stop
7 > to these niggly brute-force ssh "attacks" I seem to be getting more and
8 > more often.
9 >
10 > Anyone have any ideas?
11 >
12 > Thanks, Jeremy B
13
14 It's a bad idea trying to automatically drop any $EVILATTEMPT imho,
15 because worst case scenario would be excluding valid users from
16 dynIP-ascends / dialup users. One could even try to DOS You by faking
17 source IPs etc.
18
19 A better strategy would be
20
21 1.) disabling root-access in sshd-conf and defining valid users. (General
22 advise.)
23
24 2.) setting up a "bastion host" (preferably minimal installation, as
25 "naked" as "stripped down" could be). To minimize single point of failure
26 risks one could add / use some more hosts, preferably in different
27 subnets.
28
29 3.) giving that host/those hosts exclusive access to sshd via hosts.access
30 while denying everbody else via hosts.deny.
31
32 No automatisms, plain simple, predictible - while "intransparent" enough
33 for the $EVILGUYS.
34
35 --
36 Andreas Waschbuesch, GAUniversity KG MA FNZ FK01
37 eMail: awaschb@××××.de
38
39 --
40 gentoo-security@g.o mailing list