[Intrusions] SSH brute forcing attacks
mdwyer at timestreamtech.com
mdwyer at timestreamtech.com
Tue May 17 21:02:52 GMT 2005
> However, in view of these attacks I have implemented a dynamic filter
> via system-wide logging - multiple login failures across monitored
> machines will result in the source being blocked.
I'm curious about how you implemented this. Would you care to share? I
hacked together something that greps for failed logins once a minute, and
adds all the IPs to the hosts.deny list. It is a terrible hack, isn't
efficient, and if I mess up my own login, I'll block MYSELF for the next
week. It tangles up the scripts a little, but even so, it doesn't work all
that well -- in the less-than-sixty seconds between an attack and a block,
the attackers can try quite a few logins.
I've been sorely tempted to add blocking directly into the SSH server, but
it hasn't bothered me enough, yet. Perhaps a little tarpitting is in
order, here?
More information about the Intrusions
mailing list