[wplug] Any tips against this kind of ssh break-in?
Teodorski, Chris
teodorski at ppg.com
Fri Jul 15 08:56:06 EDT 2005
All,
When I was looking into this very thing -- I found several Perl scripts that would do just what Chris described. In addition they suggested installing knockd (http://www.zeroflux.org/cgi-bin/cvstrac/knock/wiki) just in case you managed to lock yourself out.
Chris
-----Original Message-----
From: wplug-bounces+teodorski=ppg.com at wplug.org [mailto:wplug-bounces+teodorski=ppg.com at wplug.org] On Behalf Of Chris Romano
Sent: Friday, July 15, 2005 8:19 AM
To: General user list
Subject: Re: [wplug] Any tips against this kind of ssh break-in?
On 7/15/05, Russ Schneider <russ at sugapablo.com> wrote:
> Occasionally, I get someone trying to break in via ssh, just hammering
> away, I'm assuming just trying to guess passwords automatically.
>
> Example: http://www.sugapablo.net/docs/script-02.txt
>
> I have a firewall, ssh is one of the few open ports. The firewall
> (Netgear) does not let me block IP addresses or IP ranges.
>
> I did notice that in sshd_config, root was allowed to login. I just
> turned that off.
>
> Luckily, no one has gotten in with this kind of attempt yet. But I was
> wondering if there were any further measures I could take to make sure it
> never happens.
>
> Ideally, I would think there would/should be some kind of measure I could
> take where if an IP address made X number of attempts to login and failed
> in a Y hour period, that IP address would be blocked from further login
> attempts.
>
> Any such thing available/possible?
>
> Any other suggestions to futher tighten things down? What about other
> users in the system like http, mysql, ftp, etc? I *assume* that since
> these users don't have (at least I don't think so) passwords associated
> with them and sshd_config will only allow users with passwords to login
> that they can't login. (But I could be wrong.)
>
Just from the top of my head you could probably do something like this.
Write a script to check the log for failed SSH attempts. Have it look
for X attempts within Y minutes. If it finds any, have it write an
iptable rule or put the IP in your host.deny file. Put the script in
cron to run every minute or 5 minutes.
Chris
_______________________________________________
wplug mailing list
wplug at wplug.org
http://www.wplug.org/mailman/listinfo/wplug
More information about the wplug
mailing list