[wplug] Any tips against this kind of ssh break-in?
Chris Romano
romano.chris at gmail.com
Fri Jul 15 08:18:40 EDT 2005
On 7/15/05, Russ Schneider <russ at sugapablo.com> wrote:
> Occasionally, I get someone trying to break in via ssh, just hammering
> away, I'm assuming just trying to guess passwords automatically.
>
> Example: http://www.sugapablo.net/docs/script-02.txt
>
> I have a firewall, ssh is one of the few open ports. The firewall
> (Netgear) does not let me block IP addresses or IP ranges.
>
> I did notice that in sshd_config, root was allowed to login. I just
> turned that off.
>
> Luckily, no one has gotten in with this kind of attempt yet. But I was
> wondering if there were any further measures I could take to make sure it
> never happens.
>
> Ideally, I would think there would/should be some kind of measure I could
> take where if an IP address made X number of attempts to login and failed
> in a Y hour period, that IP address would be blocked from further login
> attempts.
>
> Any such thing available/possible?
>
> Any other suggestions to futher tighten things down? What about other
> users in the system like http, mysql, ftp, etc? I *assume* that since
> these users don't have (at least I don't think so) passwords associated
> with them and sshd_config will only allow users with passwords to login
> that they can't login. (But I could be wrong.)
>
Just from the top of my head you could probably do something like this.
Write a script to check the log for failed SSH attempts. Have it look
for X attempts within Y minutes. If it finds any, have it write an
iptable rule or put the IP in your host.deny file. Put the script in
cron to run every minute or 5 minutes.
Chris
More information about the wplug
mailing list