Re: SSH and login attack

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, 18 Jun 2005, Mike Pepe wrote:
> Thomas Cameron wrote:
> > These attacks appear to me to fire multiple concurrent connections to
> > get around the delay.
> Possibly. I found a script out there and modified it a bit, this will 
> block the attacker after opening up 3 concurrent connections in 60 seconds:

I prefer pam_abl myself: http://www.hexten.net/sw/pam_abl/index.mhtml

It automatically blacklists IPs which fail more than X logins in a 
user-specified time. All attempts after that fail, even if the user+pass 
supplied is correct.

Firewalling miscreants out is a dead giveaway for them, so they give up 
and immediately move on to the next victim. pam_abl is nice because it makes 
them waste their time.

Jun 13 05:18:47 sasami pam_abl[7593]: Blocking access from 210.0.178.146 to service sshd, user root
[...]
Jun 16 04:44:15 sasami pam_abl[20188]: Blocking access from 202.76.92.199 to service sshd, user root
[...]
Jun 16 07:15:28 sasami pam_abl[40]: Blocking access from mail.estudio-jardo.com.ar to service sshd, user mysql
Jun 16 07:31:33 sasami pam_abl[26812]: Blocking access from mail.estudio-jardo.com.ar to service sshd, user root
Jun 16 07:31:38 sasami pam_abl[13388]: Blocking access from mail.estudio-jardo.com.ar to service sshd, user root
Jun 16 07:31:43 sasami pam_abl[7209]: Blocking access from mail.estudio-jardo.com.ar to service sshd, user root

<3 <3 <3 <3 <3

It warms the heart to watch all these criminals waste their time bouncing off your auto-blacklist.

-Dan


[Index of Archives]     [Fedora Desktop]     [Fedora SELinux]     [Photo Sharing]     [Yosemite Forum]     [KDE Users]