On Jan 06, 2007, Jan Engelhardt wrote: > > > >I've seen a few references here to scripts that monitor attacks and > >dynamically update iptables rules to knock down the attacks. Can anyone > >provide some good research starting points or sample scripts that they use? > > denyhosts.sf.net? While denyhosts is a good concept, I question whether it provides a real security benefit. If a new remotely exploitable vulnerability is discovered in OpenSSH (or other ssh implementation) it will most likely have nothing to do with trying to brute force passwords. Doing a quick search through http://www.securityfocus.com/bid/ turns up recent SSH security issues (not necessarily highly critical, but it is only a matter of time). A better strategy is to use iptables to maintain a default-drop stance against all attempts to connect to the SSH daemon, but allow access via Single Packet Authorization. This way people can't even tell that you are running an SSH server at all. An nmap scan is completely useless against this, and it doesn't matter even if someone has a zero-day attack for your SSH daemon. Here is an SPA implementation: http://www.cipherdyne.org/fwknop/ (Disclaimer: I developed fwknop) Here is a howto for using GPG keys with fwknop: http://www.cipherdyne.org/fwknop/docs/gpghowto.html -- Michael Rash http://www.cipherdyne.org/ Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F
