[Intrusions] SSH brute forcing attacks
Håkon Alstadheim
hakon at alstadheim.priv.no
Thu May 19 00:29:02 GMT 2005
mdwyer at timestreamtech.com wrote:
>>However, in view of these attacks I have implemented a dynamic filter
>>via system-wide logging - multiple login failures across monitored
>>machines will result in the source being blocked.
>
> I'm curious about how you implemented this.
To keep resource-use down while still being responsive, I've made a fifo
and added that to /etc/syslog.conf like so:
auth.* |/var/run/blacklist-log-input
My script (actually a lisp process) opens the fifo for reading (blocking
when there is nothing to read), makes a note of everything iffy, and
runs an iptables command to block the ip once a threshold is reached (
number of unknown users/uncompleted login attempts). The watcher stays
in memory all the time, but it will mostly be blocked waiting to read,
and hence swapped out.
The command to actually do the blacklisting is just one iptables command
to add the offender to a chain that I've set up beforehand.
More information about the Intrusions
mailing list