Re: SSH Brute force attacks

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Sadus . wrote:
> Portsentry listens to a set of ports you set. when someone nmaps your
> machine or do some kind of scanning on certain ports, portsentry blocks
> that IP via the method you prefer (ipchain, iptables...) and it can echo
> the IP to /etc/hosts.deny thus droping all connections with the
> attacker. I want to expand the SSH Brute force script to enable this
> feature.
> It is not important to know if an IP is already in the /etc/hosts.deny
> list because since the IP is droped and denied from accessing, the IP
> won't reach the brute force script, so normaly you won't have repetition
> of IPs.

I'm working on a re-write of the SSH_Brute_Force chain on my home firewall.  This rewrite will be VERY different and should be the foundation for much growth and adaptation in to other things as well.  The basic idea behind it is to use a multi level triggering system.  Restated in english if you trigger the first level you are banned for a specific amount of time.  If you trip the first level and are banned for the specified amount of chem and then re trip the first level you are then banned at the second level and banned for a longer time.  At present my levels are as follows, 1 minute, 1 hour, 1 day, 1 week, 1 month, 1 year and then permanent ban.  I'm also adding IPs to a recent list that can be checked by other chains early on in the chain set out side of the SSH_Brute_Force chain.  Needless to say it's very complex and I'm doing some testing to make sure that it works the way that I want it to.  Once I get it working I'll either post it to this thread or start a new one
 with an appropriate subject.  I'm trying to include some functionality or the capability of the functionality of Portsentry as you have requested.

I'm not sure if /etc/hosts.deny will prevent packets from entering IPTables or not as I thought that the file was read by user space daemons as a list of IPs to never talk to, not necissarly to the IP table to deny access to.  I could be wrong on this though.



Grant. . . .


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux