sshd: lock password intruders

is there a way to block a certain ip address for some minutes, if someone
tries out several wrong passwords or users?

I have a lot of failed logins and illegal users which I would like to
block for some minutes.

Stephan Goeldi wrote:

> is there a way to block a certain ip address for some minutes, if someone
> tries out several wrong passwords or users?
>
> I have a lot of failed logins and illegal users which I would like to
> block for some minutes.

Is IPTables logging them? You could start logging the IPs it's coming from
and, comparing log times, find out who.

--
Miksch's Law:
If a string has one end, then it has another end.

In article <pan.2004.08.25.14.57.19.756716@usable.ch>, Stephan Goeldi wrote:
> is there a way to block a certain ip address for some minutes, if someone
> tries out several wrong passwords or users?
>
> I have a lot of failed logins and illegal users which I would like to
> block for some minutes.

Well, you could have a process that watches the syslogs for sshd errors
(which generally include the IP address), and block them. One way would
be to update the firewall using iptables, or you could use /etc/hosts.deny
if your sshd is compiled with TCP Wrappers support. Should be only a
moderately complicated Perl script.

Personally, I don't let anyone ssh in from the net by default. I have
another program that people need to authenticate to, then it allows that
specific IP address to connect to ssh for a limited time. (If anyone's
curious: "http://ingles.homeunix.org/software/ost/").

--
Sincerely,

Ray Ingles (313) 227-2317

Isn't it funny how Jerry Falwell and Pat Robertson blame the
actions of fanatical religious zealots on 'secular' groups?

Stephan Goeldi <expires.1.9.04@usable.ch> wrote in
news:pan.2004.08.25.14.57.19.756716@usable.ch:

> is there a way to block a certain ip address for some minutes, if
> someone tries out several wrong passwords or users?

Elsethread I learned to set hosts.deny to ALL: ALL
then set hosts.allow

to

ALL: LOCAL
ALL: 1.2.3. a.b.c.

etc.

--
- Mark ->
--

http://www.rfxnetworks.org/bfd.php

Along with their APF firewall blocks and bans brute force attacks ...
password guessers

On 2004-08-25, Mark A. Odell <odellmark@hotmail.com> wrote:
> Stephan Goeldi <expires.1.9.04@usable.ch> wrote in
> news:pan.2004.08.25.14.57.19.756716@usable.ch:
>
>> is there a way to block a certain ip address for some minutes, if
>> someone tries out several wrong passwords or users?
>
> Elsethread I learned to set hosts.deny to ALL: ALL
> then set hosts.allow
>
> to
>
> ALL: LOCAL
> ALL: 1.2.3. a.b.c.

If you don't want to be quite that restrictive, I've found that

hosts.deny
sshd: UNKNOWN

cuts down alot of them, and also banning all domains you're sure
you're never going to login from

sshd: .cn, .jp, .mil <and so on>

since I don't think I'll be in those places any time soon. All the ssh
scripts that do this I've seen have port 22 hard coded into them, so
moving the SSH port would help alot too, since the people that do this
tend to be idiots that just scan large netblocks looking for a
response from port 22 and nothing else. The tool makes a list of
listening IP's and then they return later to blast away. Most of the
passwords in the files were 8 chars. or under and 99% where dictionary
words. You can protect your sshd with inetd/xinetd, even if it's not
got tcpwrappers support compiled in, because tcpd or xinetd will do
the checking. xinetd also supports access times & rate limits, as well
as auto-bans for anyone hitting a port configured with its SENSOR
option. http://www.xinetd.org/

Make sure to report attacking hosts, it does help. I got a couple of
good responses from admins that I contacted because their host was
attempting bruteforce. Try 'whois' and 'dig' to find IPs, hostnames,
and emails.




--
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++