Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Secure-Shell
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Advice on dealing with scripted SSH attacks?

from [Stowe, Will] Network Security [Permanent Link]
Subject: RE: Advice on dealing with scripted SSH attacks?
Date: Tue, 28 Mar 2006 15:16:01 -0500 
Slog works pretty good. It parses whatever log sshd dumps auth bits to and
pares for failed/incorrect logins. It then calls iptables and blocks the
source IP of the offender based upon your threshold settings.


securelabs.be/slog/



-----Original Message-----
From: Zembower, Kevin [mailto:kzembowe@jhuccp.org] 
Sent: Tuesday, March 28, 2006 9:13 AM
To: secureshell@securityfocus.com
Subject: Advice on dealing with scripted SSH attacks?

What's the current advice on dealing with scripts that repeatedly try to
log onto SSH using a list of common usernames and 'password' for the
password? I get up to 4,000 of these a day from a single server. In
searching Google on this, I've learned of techniques using PAM and
firewall rules that are created dynamically in response to log-in
attempts.

Can someone point out a link or tell me what they think are the best
practices for dealing with this? Sooner or later, one of my users is
going to have the unfortunate combination of a common user name and a
bad password. 

Ideally, what I'd like would be a system that exponentially increases
the timeout period after each repeated failed login attempt from the
same host up to a maximum of 10-20 minutes before resetting.

Thanks for your advice.

-Kevin Zembower
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Advice on dealing with scripted SSH attacks?, Tevfik Karagülle
Next by Date:  RE: Advice on dealing with scripted SSH attacks?, Thompson Seren
Previous by Thread:  RE: Advice on dealing with scripted SSH attacks?, Tevfik Karagülle
Next by Thread:  Re: Advice on dealing with scripted SSH attacks?, Martin Schröder
Indexes:  [Date] [Thread] [Top] [All Lists]