Re: SSH Brute force attacks

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Portsentry listens to a set of ports you set. when someone nmaps your
machine or do some kind of scanning on certain ports, portsentry blocks
that IP via the method you prefer (ipchain, iptables...) and it can echo
the IP to /etc/hosts.deny thus droping all connections with the
attacker. I want to expand the SSH Brute force script to enable this
feature.
It is not important to know if an IP is already in the /etc/hosts.deny
list because since the IP is droped and denied from accessing, the IP
won't reach the brute force script, so normaly you won't have repetition
of IPs.

 


On Thu, 2005-06-02 at 11:43 -0500, Taylor, Grant wrote:
> Sadus . wrote:
> > Is there a way to parse the attacker's IP and block it permanantly via:
> > iptables -A INPUT -s $IP -j DROP
> > and cat > /etc/hosts.deny ?
> 
> The closest thing that I can think of at the moment would be to LOG the packet with a custom "--log-prefix" that is being watched for by a user space daemon and have this daemon add the IP in question to an ipset set list and /etc/hosts.deny.  To take advantage of the ipset set list you would have to use the set match extension to see if the IP was in the set list or not and take action based on that.  If you would like I could ponder this for a while and get back to you on how I would go about doing this.
> 
> > something close to what portsentry does, but using that SSH iptables
> > Brute force script.
> 
> I'm not familiar with port sentry, can you tell me more about it or give me a URL to look at?  I'll Google for it and take a look when I have some more time to spare to see if I can better answer your question(s).
> 
> > This thread went big and confusion reigned on the latest version of the
> > Brute Force script, kindly post the latest/best iptable rules :)
> 
> I will repost the script as it is presently in a new reply to the original message so that it is at the bottom of the thread.  I'll also include a version number in the subject line to make this easier to look at in the future.  For now you can see the most current version of the script in this message available here https://lists.netfilter.org/pipermail/netfilter/2005-May/060734.html .  I'll post a friarly lengthy email with the basic script in a couple of different forms and the various pros and cons to each form.  For now the main difference is that I'm not jumping to the SSH_Brute_Force chain the way that is posted in the list for various reasons I'll explain in the forthcoming email.
> 
> > thanks
> 
> No problem.
> 
> 
> 
> Grant. . . .
> 
-- 
Sadus . <sadus@xxxxxxxxxxxx>
Swiftbin.net



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux