Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Secure-Shell
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: OpenSSH -- a way to block recurrent login failures?

from [Warner, Randy] Network Security [Permanent Link]
Subject: RE: OpenSSH -- a way to block recurrent login failures?
Date: Wed, 22 Sep 2004 15:08:09 -0600 
Use pam_tally - http://www.baverstock.org.uk/tim/pam/

Look at pam_tally_autoreset.pl on this page.

--Randy

-----Original Message-----
From: Wilson, Richard E [mailto:richard.wilson@eds.com] 
Sent: Tuesday, September 21, 2004 3:52 PM
To: 'Victor Danilchenko'; secureshell@securityfocus.com
Subject: RE: OpenSSH -- a way to block recurrent login failures?

Victor,

You could have a script add an iptables firewall rule (this assumes that
you're running Linux) that would drop all packets from a given IP or range.
You can find out more about iptables at http://netfilter.org With a simple
rule set like:

iptables -A INPUT xxx.yyy.xxx.yyy -j DROP
iptables -A INPUT -j ACCEPT

You would simply insert DROP lines like the first at the start filling in
the appropriate IP.  While you can put "REJECT" instead of "DROP" in the
lines, it's not recommended -- it uses your bandwidth as well as that of the
"attacker" which may be spoofed.

I hope this helps,

Richard Wilson
EDS

-----Original Message-----
From: Victor Danilchenko [mailto:danilche@cs.umass.edu] 
Sent: Tuesday, September 21, 2004 9:02 AM
To: secureshell@securityfocus.com
Subject: OpenSSH -- a way to block recurrent login failures?


        Hi,

        We are looking for a way to temporarily block hosts from which
we receive a given number of sequential failed login attempts, not
necessarily within the same SSH session (so MaxAuthTries is not enough).
The best solution I could come up with so far would be to run OpenSSH
through TCPWrappers, and set up a log watcher daemon which would edit
/etc/hosts.deny on the fly based on the tracked number of failed logins
for each logged host.

        Is there a better solution known for the sort of problems we
have been plagued with lately -- repeated brute-force crack attempts
from remote hosts? I looked on FreshMeat and I searched the mailing
lists, only to come up empty-handed.

        Thanks in advance,

-- 
|  Victor  Danilchenko  +---------------------+
| danilche@cs.umass.edu | He who laughs last, |
|   CSCF   |   5-4231   | thinks slowest.     |

Attachment: smime.p7s
Description: S/MIME cryptographic signature

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: OpenSSH -- a way to block recurrent login failures?, Javier Sanchez
Next by Date:  Re: Locking down ssh config in large env, Robert Hajime Lanning
Previous by Thread:  RE: OpenSSH -- a way to block recurrent login failures?, Wilson, Richard E
Next by Thread:  Re: OpenSSH -- a way to block recurrent login failures?, Casey
Indexes:  [Date] [Thread] [Top] [All Lists]