Automatic blocking of attackers' IP
This is a discussion on Automatic blocking of attackers' IP within the Linux Security forums, part of the System Security and Security Related category; Hi, I would like to have the following scenario implemented on my network: 1. Someone tries repeatedly and illegally to ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
09-07-2004
|
|||
|
|||
Automatic blocking of attackers' IP
Hi,
I would like to have the following scenario implemented on my network: 1. Someone tries repeatedly and illegally to log in as 'admin', 'root' or whatever from some IP using SSH (or any other means). 2. When the number of attempts reaches a predefined trigger level, an action occurs (a script is executed, etc.) The definition of attempts, the trigger level and the resulting action should be configurable. Is a watchdog like that that would fulfill my requirements available somewhere out there or do I have to sit down and start scripting? Thanks Frank Bures, <feeb@chem.utoronto.ca> 
|
|
09-07-2004
|
|||
|
|||
|
Re: Automatic blocking of attackers' IP
"FEEB" <feeb@chem.utoronto.ca> wrote in
news:srropurzhgbebagbpn.i3obx7d.pminews@news1.chem .utoronto.ca: > Hi, > > I would like to have the following scenario implemented on my network: > > 1. > Someone tries repeatedly and illegally to log in as 'admin', 'root' or > whatever from some IP using SSH (or any other means). Why not just set hosts.deny to ALL: ALL and then open up only those IPs or domains you wish to allow in hosts.allow? -- - Mark -> --
|
|
09-07-2004
|
|||
|
|||
|
Re: Automatic blocking of attackers' IP
"FEEB" <feeb@chem.utoronto.ca> wrote in
news:srropurzhgbebagbpn.i3obx7d.pminews@news1.chem .utoronto.ca: > 1. > Someone tries repeatedly and illegally to log in as 'admin', 'root' or > whatever from some IP using SSH (or any other means). > > 2. > When the number of attempts reaches a predefined trigger level, an > action occurs (a script is executed, etc.) I know its out there. Ive seen it. Im on my way out or I would search for it. I would tend to write my own anyway so Im pretty sure I didnt install it. Gandalf Parker -- the music should always change when.. Someone in a horror movie says "We should be safe here" Someone driving says "Ive never had an accident" Some computer user says "My machine is secure"
|
|
09-07-2004
|
|||
|
|||
|
Re: Automatic blocking of attackers' IP
On 7 Sep 2004 15:07:27 GMT, Mark A. Odell wrote:
>"FEEB" <feeb@chem.utoronto.ca> wrote in >news:srropurzhgbebagbpn.i3obx7d.pminews@news1.che m.utoronto.ca: > >> Hi, >> >> I would like to have the following scenario implemented on my network: >> >> 1. >> Someone tries repeatedly and illegally to log in as 'admin', 'root' or >> whatever from some IP using SSH (or any other means). > >Why not just set hosts.deny to ALL: ALL and then open up only those IPs or >domains you wish to allow in hosts.allow? We must be open to anyone. That's our business :-) Frank Bures, <feeb@chem.utoronto.ca>
|
|
09-07-2004
|
|||
|
|||
|
Re: Automatic blocking of attackers' IP
"FEEB" <feeb@chem.utoronto.ca> wrote in
news:srropurzhgbebagbpn.i3ohdhe.pminews@news1.chem .utoronto.ca: >>> I would like to have the following scenario implemented on my network: >>> >>> 1. >>> Someone tries repeatedly and illegally to log in as 'admin', 'root' or >>> whatever from some IP using SSH (or any other means). >> >>Why not just set hosts.deny to ALL: ALL and then open up only those IPs > or >>domains you wish to allow in hosts.allow? > > We must be open to anyone. That's our business :-) Ah. Then just put the bad IP or IP range into the hosts.deny. Of course this won't scale well for many IP addresses. -- - Mark -> --
|
|
09-07-2004
|
|||
|
|||
|
Re: Automatic blocking of attackers' IP
On 7 Sep 2004 16:56:58 GMT, Mark A. Odell wrote:
>"FEEB" <feeb@chem.utoronto.ca> wrote in >news:srropurzhgbebagbpn.i3ohdhe.pminews@news1.che m.utoronto.ca: > >>>> I would like to have the following scenario implemented on my network: >>>> >>>> 1. >>>> Someone tries repeatedly and illegally to log in as 'admin', 'root' or >>>> whatever from some IP using SSH (or any other means). >>> >>>Why not just set hosts.deny to ALL: ALL and then open up only those IPs >> or >>>domains you wish to allow in hosts.allow? >> >> We must be open to anyone. That's our business :-) > >Ah. Then just put the bad IP or IP range into the hosts.deny. Of course >this won't scale well for many IP addresses. It would be quite inconvenient in our case of 4 full C-blocks. The mechanism of blocking the intruder is available. However, I want to do it automatically and only after the certain trigger level has been reached. I know how to do it, I just do not want to reinvent the wheel. Frank Bures, <feeb@chem.utoronto.ca>
|
|
09-07-2004
|
|||
|
|||
|
Re: Automatic blocking of attackers' IP
On Tue, 07 Sep 2004 09:53:31 -0400, FEEB wrote:
> Hi, > > I would like to have the following scenario implemented on my network: > > 1. > Someone tries repeatedly and illegally to log in as 'admin', 'root' or > whatever from some IP using SSH (or any other means). > > 2. > When the number of attempts reaches a predefined trigger level, an action > occurs (a script is executed, etc.) > > The definition of attempts, the trigger level and the resulting action > should be configurable. > > Is a watchdog like that that would fulfill my requirements available > somewhere out there or do I have to sit down and start scripting? 1. Rate Limit SSH connections with IPTables. You can use Traffic shaping to get fine grain control if that isn't enough. 2. Use Swatch to monitor your SSH log file for failed connections. Tell it to use IPTables to drop traffic from IP's that appear too often. There's an example in the config that almost does this for you already. http://swatch.sourceforge.net/ -- BOFH Excuse #205: Quantum dynamics are affecting the transistors
|
|
09-07-2004
|
|||
|
|||
|
Re: Automatic blocking of attackers' IP
"FEEB" <feeb@chem.utoronto.ca> writes:
]On 7 Sep 2004 15:07:27 GMT, Mark A. Odell wrote: ]>"FEEB" <feeb@chem.utoronto.ca> wrote in ]>news:srropurzhgbebagbpn.i3obx7d.pminews@news1.che m.utoronto.ca: ]> ]>> Hi, ]>> ]>> I would like to have the following scenario implemented on my network: ]>> ]>> 1. ]>> Someone tries repeatedly and illegally to log in as 'admin', 'root' or ]>> whatever from some IP using SSH (or any other means). ]> ]>Why not just set hosts.deny to ALL: ALL and then open up only those IPs ]or ]>domains you wish to allow in hosts.allow? ]We must be open to anyone. That's our business :-) Then why are you asking how to close yourself to some? Sounds like a DOS would be possible if you impliment what you want (ie from a machine that you need, an attacker tries to log onto your system a number of times, and thus closes off that machine entirely). . Anyway, why does it matter? Is your root password weak enough that you are afraid someone could guess it? Also you could just institute norootlogins in ssh and then they could not succeed even if they got the password. What I am far more concerned about is that places are putting up firewalls which block out ssh. I was just in an airline lounge in Sao Paulo, where their firewall blocks outgoing ssh, which meant I could not log onto my home machine at all.
|
|
09-07-2004
|
|||
|
|||
|
Re: Automatic blocking of attackers' IP
"FEEB" <feeb@chem.utoronto.ca> writes:
]On 7 Sep 2004 16:56:58 GMT, Mark A. Odell wrote: ]>"FEEB" <feeb@chem.utoronto.ca> wrote in ]>news:srropurzhgbebagbpn.i3ohdhe.pminews@news1.che m.utoronto.ca: ]> ]>>>> I would like to have the following scenario implemented on my ]network: ]>>>> ]>>>> 1. ]>>>> Someone tries repeatedly and illegally to log in as 'admin', 'root' ]or ]>>>> whatever from some IP using SSH (or any other means). ]>>> ]>>>Why not just set hosts.deny to ALL: ALL and then open up only those IPs ]>> or ]>>>domains you wish to allow in hosts.allow? ]>> ]>> We must be open to anyone. That's our business :-) ]> ]>Ah. Then just put the bad IP or IP range into the hosts.deny. Of course ]>this won't scale well for many IP addresses. ]It would be quite inconvenient in our case of 4 full C-blocks. What? You have four full C blocks all of which you want to deny? (actually that is easy, since you can put nets into hosts.deny, not just host addresses). I think you need to make clearer what you want to do and why you want to do it. ]The mechanism of blocking the intruder is available. However, I want to ]do it automatically and only after the certain trigger level has been Again, why?
|
|
09-07-2004
|
|||
|
|||
|
Re: Automatic blocking of attackers' IP
"FEEB" <feeb@chem.utoronto.ca> wrote in message news:<srropurzhgbebagbpn.i3obx7d.pminews@news1.che m.utoronto.ca>...
> Hi, > > I would like to have the following scenario implemented on my network: > > 1. > Someone tries repeatedly and illegally to log in as 'admin', 'root' or > whatever from some IP using SSH (or any other means). > > 2. > When the number of attempts reaches a predefined trigger level, an action > occurs (a script is executed, etc.) > > The definition of attempts, the trigger level and the resulting action > should be configurable. > > Is a watchdog like that that would fulfill my requirements available > somewhere out there or do I have to sit down and start scripting? > > Thanks > > > Frank Bures, <feeb@chem.utoronto.ca> http://www.cipherdyne.org/index.html
|
Linear Mode
