Odd ssh attacks?

Njoku, George O. njokug at winthrop.edu
Fri Jul 20 13:48:47 UTC 2007 

I constantly monitor my log files ( ssh = /var/log/secure - fedora
)...(/var/log/auth.log for Ubuntu)

I wrote a Perl script and put in Cron(4 times an hour) to block IPs of
probes-"Invalid Users".
Normally ssh client bots keep trying different users to brute force
their way in.

Rather than having them constantly trying flooding my network with
requests, I just block IP.
Currently, I use iptables, but it could be better to put them in
hosts.deny

I know...unconventional, but ok.

George



-----Original Message-----
From: ubuntu-users-bounces at lists.ubuntu.com
[mailto:ubuntu-users-bounces at lists.ubuntu.com] On Behalf Of David Ford
Sent: Friday, July 20, 2007 9:30 AM
To: Ubuntu user technical support,not for general discussions
Subject: Re: Odd ssh attacks?

[...]
>>> For example,
>>> $IPTABLES -I INPUT -s 203.127.160.155 -j DROP
>>>       
>> Note, that this is OK for a home user, probably not a good idea for
the
>> Corporate webserver, as you are banning everybody who will ever use
the
>> same IP address (think dial up users, and folks behind NATed
firewalls).
>>     
>  
> Second that. That's what fail2ban (available in your favorite
universe) is 
> about. It blocks an offending ip (after some failed login attempts)
for a 
> predetermined period.
>   
And that's why ipt_recent via iptables is even better.  It's all done on
the kernel side without any context switching or memory use.  Packets
get stopped much sooner, much faster and with far fewer resources used.

Fully automatic with heuristics and even managable in userland with echo
x.x.x.x > y and echo -x.x.x.x > y

I use this to match ssh probes and I use it for blocking spam senders. 
More than N hits per 60 seconds for ssh and you get firewalled for an
hour.  Send me an email that scores higher than 10 with spamassassin and
you get TARPIT'd for 7 days on port 25.

It works wonders for dropping the load on a mail server.

-david

-- 
ubuntu-users mailing list
ubuntu-users at lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-users

More information about the ubuntu-users mailing list