Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Secure-Shell
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Advice on dealing with scripted SSH attacks?

from [Thompson Seren] Network Security [Permanent Link]
Subject: RE: Advice on dealing with scripted SSH attacks?
Date: Tue, 28 Mar 2006 13:47:27 -0700 
 There's a nice package called "fail2ban" on Sourceforge. It works with
the logs of various programs including ssh, apache, etc. and uses
iptables or hosts.deny to block IPs for a period after a specified
number of failures.

 It's written in python and is pretty easy to configure for other
firewalls and logs.

  -Seren Thompson

-----Original Message-----
From: Zembower, Kevin [mailto:kzembowe@jhuccp.org] 
Sent: Tuesday, March 28, 2006 7:13 AM
To: secureshell@securityfocus.com
Subject: Advice on dealing with scripted SSH attacks?

What's the current advice on dealing with scripts that repeatedly try to
log onto SSH using a list of common usernames and 'password' for the
password? I get up to 4,000 of these a day from a single server. In
searching Google on this, I've learned of techniques using PAM and
firewall rules that are created dynamically in response to log-in
attempts.

Can someone point out a link or tell me what they think are the best
practices for dealing with this? Sooner or later, one of my users is
going to have the unfortunate combination of a common user name and a
bad password. 

Ideally, what I'd like would be a system that exponentially increases
the timeout period after each repeated failed login attempt from the
same host up to a maximum of 10-20 minutes before resetting.

Thanks for your advice.

-Kevin Zembower
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Advice on dealing with scripted SSH attacks?, Stowe, Will
Next by Date:  Re: Advice on dealing with scripted SSH attacks?, Martin Schröder
Previous by Thread:  Re: Advice on dealing with scripted SSH attacks?, Daniel Cid
Next by Thread:  sftp-server - file locking, janusz
Indexes:  [Date] [Thread] [Top] [All Lists]