Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Secure-Shell
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: OpenSSH -- a way to block recurrent login failures?

from [Baker, Darryl] Network Security [Permanent Link]
Subject: RE: OpenSSH -- a way to block recurrent login failures?
Date: Thu, 30 Sep 2004 16:00:40 -0400 
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I would suggest looking at this site. They have a PAM module for you.
http://www.comsmiths.com.au/pam/

_____________________________________________________________________
Darryl Baker
gedas USA, Inc.
Operational Services Business Unit
3800 Hamlin Road
Auburn Hills, MI 48326
US
phone   +1-248-754-5341
fax     +1-248-754-6399
Darryl.Baker@gedas.com
http://www.gedasusa.com
_____________________________________________________________________


-----Original Message-----
From: bartek@mail.bicom.pl [mailto:bartek@mail.bicom.pl]On Behalf
Of Bartek Krajnik
Sent: Saturday, September 25, 2004 7:23 PM
To: Victor Danilchenko
Cc: secureshell@securityfocus.com
Subject: Re: OpenSSH -- a way to block recurrent login failures?


On 21-09-2004 at 10:02:22AM -0400, Victor Danilchenko wrote:
VD>   Hi,
VD> 
VD>   We are looking for a way to temporarily block hosts from which
VD> we receive a given number of sequential failed login attempts,
not VD> necessarily within the same SSH session (so MaxAuthTries 
is not enough).
VD> The best solution I could come up with so far would be to 
run OpenSSH
VD> through TCPWrappers, and set up a log watcher daemon 
which would edit
VD> /etc/hosts.deny on the fly based on the tracked number of 
failed logins
VD> for each logged host.
VD> 
VD>   Is there a better solution known for the sort of problems we
VD> have been plagued with lately -- repeated brute-force 
crack attempts
VD> from remote hosts? I looked on FreshMeat and I searched 
the mailing
VD> lists, only to come up empty-handed.
VD> 

mkfifo /dev/auth

Add to syslog.conf:
auth,authpriv.*                 |/dev/auth

reload syslog

Now write simple program which reads data from fifo 
(/dev/auth) and inserts iptables (ipf)
rules (perl will be the best).

Your tool blocks IP's in real time.

I wrote something similar for POP-before-SMTP:
http://www.bmk.bz/logrelay-pop3/

If You have no time try portsentry.

Best regards,
   Bartek.
--
If You want to verify authentication of my e-mail visit: 

www.bmk.bicom.pl
   to get from there my public key.

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Security 7.0.3

iQA/AwUBQVxl71e1Bhkj9lZeEQI4RwCdG87Ji6ZxdBcSD6jxRR1gUsrdqTgAoOOV
xOLOBwij11G4pJ7ERLL/y/3R
=wg/j
-----END PGP SIGNATURE-----

Attachment: Baker, Darryl.vcf
Description: Binary data

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: how to use x11 forwarding?, Keith Duffin
Previous by Thread:  Re: OpenSSH -- a way to block recurrent login failures?, Casey
Next by Thread:  SFTP is prompting for password, Arivan Varadarajan
Indexes:  [Date] [Thread] [Top] [All Lists]