How do I stop bruteforce SSH login attempt?

email.listen at googlemail.com email.listen at googlemail.com
Wed Apr 12 21:00:49 UTC 2006 

Am Wed, 12. April 2006 21:04 schrieb Soo-Hyun Choi:
> Okay, now, what if I would like to attack back to the machine? I guess
> the machine performing the bruteforce ssh attack would also have been
> cracked by somebody. Assuming the the attacking machine is the
> originator, how do I fight back?

One might define reactions on certain attacks in portsentry.conf, eg. running 
a script.

But I would _STRONGLY_ suggest _NOT_ to do so!
1. You don't know if it is a blackhat or just a napped machine
2. It is an attack doing so
3. This is agains the law in most countries, e.g. here in Europe
4. Even scanning the attacker is not allowed due to the fact that using
   scanning technicues is against the law in many countries. 

But what might be interesting is setting up a so called tarpit. 
Tarpits are working as the name says. They stick an attacker for for a certain 
periood of time meanwhile he don't attack other machines.
But this is mostly useless if it is a skilled blackhat and not only a 
scripting kiddie who does the attack.


Another often used technique is setting up so called honneypods or a 
honneynet. 
A honneypod attracts an attacker as honney attracts the bear so that he can be 
examined.
E.G. Honneywall is a GNU/Linux distribution and a live-CD which does this. 
Using a honneypod is a bit a tricky thing. 
A wrong or misconfigured configuered honneypod brings more harm than it will 
help.

But before doing so, as said before, I would recommend reading some 
IT-security related books. Two to five Kg of security literature should be 
enough for a first start I would say... :-)
You may have a look at: http://www.bsi.de/english/gshb/
BSI (federal bureau of security in information technology) is a german state 
authority for IT security (not only) in the public sector field. 
This guide mostly follows the directive 'everthing which is not explicitly 
allowed is forbidden'. To be honnest you don't make friends setting up a 
network as BSI suggests to do... :-))


May be it's an idea to start a local security self study group. Learning in a 
team is IMO more efficient than doing it allone. And it has somewhat of a 
sportive character. I say this because this was the way I, better we, strted 
at the university some decades ago. We did a kind of network roleplay trying 
to penetrate each others machine and defeating the attacks.
In the end it is at least a perspective to get skilled in an IT field which 
offers the most and best payed employments I know. ;-)


regards,
Thomas

More information about the ubuntu-users mailing list