Gentoo Archives: gentoo-security

From: J Holder <trs-gml@××××××××××.com>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] [OT?] automatically firewalling off IPs
Date: Mon, 31 Oct 2011 03:55:51
In Reply to: Re: [gentoo-security] [OT?] automatically firewalling off IPs by MaxieZ
MaxieZ said:
> On Mon, Oct 03, 2005 at 10:10:16AM +1300, Jeremy Brake wrote: >> Hey all, >> >> I'm looking for an app/script which can monitor for failed ssh logins, >> and block using IPTables for $time after $number of failed logins (an >> exclusion list would be handy as well) so that I can put a quick stop to >> these niggly brute-force ssh "attacks" I seem to be getting more and >> more often. > > > > or change ports
Changing ports does a wonderful job of cutting down on spurious connects. Going one tiny step further, I like to know if anyone has ever connected to my sshd. So I do the following: 1. Set loglevel for sshd to verbose 2. cron a connect report to run once an hour. This tells me the IP and reverse IP address of every host to do a full connect. AFAIK, a full connect would be necessary to see the banner and identify the port as running sshd. My connect-report script is as follows: echo "Remote SSH Connection report for $HOSTNAME" echo "------------------------------------------" echo egrep "Connection from" < /var/log/auth.log | egrep -o [0-9]+[.][0-9]+[.][0-9]+[.][0-9]+ | sort | uniq | /root/bin/phost The above script relies on phost; a small helper script (because I couldn't stand to spend more than 5 minutes trying to figure out which IP lookups would accept input from stdin): #!/usr/bin/perl while (<STDIN>) { $output = `host $_`; print $output; } I have never seen a connect from an IP I didn't expect, and if I ever do, I can just move sshd to another port if I am feeling excessively paranoid. -- gentoo-security@g.o mailing list


Subject Author
Re: [gentoo-security] [OT?] automatically firewalling off IPs Brian Micek <bmicek@×××××××××.net>