-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
was fail2ban ( http://fail2ban.sourceforge.net/ ) already mentioned?
It works like -sk's script. It searches your auth.log (or wherever your
sshd messages go to) for all typical sshd failure-messages.
After a user-defined count of "n" login failures from one IP where
counted in "x" user-defined seconds, it bans all traffic from that IP
for "t" seconds via iptables.
After "t" seconds the rule will be automatically delete.
On my Debian Sarge server it works quite well. (Included in Debian Etch,
Gentoo and RedHat packages are also available.)
But I haven't tested if fail2ban is vulnerable against DoS-Attacks, for
example if you spoof your IP with the IP of the gateway your server is
directly connected to. And then try to login via ssh on $victim_host
with the IP of $gateway.
- Would have the side-effect that ALL incoming traffic will be dropped,
as long as the rule stays active.
iptables -L output shows the following for fail2ban chain:
##### Before - Empty ruleset #####
Chain fail2ban-SSH (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
##### After adding an IP to banlist #####
Chain fail2ban-SSH (1 references)
target prot opt source destination
DROP all -- shell.xxxxxxxxxx.de anywhere
RETURN all -- anywhere anywhere
Though, the iptables-commands can be easily changed in
/etc/fail2ban.conf (look for "fwban").
Just my 2 cents,
Christian "Khark" Lauf
- --
Christian "Khark" Lauf <khark@kharkerlake.net>
GPG: 0x6AADC60A | IRCnet/silcnyet: Khark
silcnyet-Fingerprint: 9424 E3BF B637 E1FC E355 BA7C 01CC 1B68 3A1C E330
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)
iD8DBQFEBMSUAaLWKGqtxgoRApY8AJ47D5FfQ/bgIeZ6NSO9YF5hA6IarwCcDdQZ
ohVxfnuF+8FCfMbPYjHtgL4=
=KpTi
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
