Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Block IPs of brute force attackers?

Status
Not open for further replies.
donb01

donb01

IS-IT--Management
Feb 20, 2006
2,241
US
On occasion when I inspect my server security logs I see hundreds of failed password attempts on ssh, guessing at user names, yadda yadda. I never have to worry about them getting in as root 'cause I have that blocked. I normally login as me and do su if needed, and most of my other user names are hokey enough to not just guess.

Of course when I see this I send a note to iptables to block the offending IP, but this is always after the fact and the person may never come back to try again. I am wondering if there is some option or some kind of script or something that can know if the same IP has tried to login more than X amount of time within Y minutes if it can automatically add the IP to the blocked list.

I want the timer on there only so it isn't cumulative over considerable time and I don't eventuallly lock myself out from entering my own password wrong enough times...

Anything would be easier than having to find all these and enter them in by hand all the time.

Thanks in advance.
 
Sort by date Sort by votes
I am assuming this is an internet facing machine? If so why do you need to have SSH opened to the world (unless you allow SFTP access). Don't work with IPTables much by you should be able to setup a rule to block incoming SSH traffic except for your IP or setup the ssh daemon to listen on an alternate port number.
 
Upvote 0 Downvote
This machine hosts a variety of things (web, mail, ftp, dns, yadda) and I log into it regularly for remote twiddling, checking logs, adjusting things, etc from other than my own network.

Shorewall does a pretty good job of nuking the requests for ports I don't have open, but it can't do anything about the ones that are open for my use....

 
Upvote 0 Downvote
do a search for ssh_brute_blocker

I use a couple of these type of scripts and they work quite well

Norm
 
Upvote 0 Downvote
Did you try host.allow and host.deny?

RoadKi11

"This apparent fear reaction is typical, rather than try to solve technical problems technically, policy solutions are often chosen." - Fred Cohen
 
Upvote 0 Downvote
Sure, I know what they do, but it's just as easy for me to drop a command line for iptables as it is for me to edit those files and drop them in one at a time.

I looked up some of the scripts suggested in a previous post but was at work and didn't have time to implement anything yet.

for iptables it's just:

iptables -A INPUT -s IPofOffender -j DROP

But then I still have to be looking at the logs a lot to catch them...

 
Upvote 0 Downvote
One of the easier ideas to block script kiddies is simply to change the port being used for SSH. You should see a dramatic reduction in attempts.
 
Upvote 0 Downvote
There are a couple of utilities that may be of interest to you.

1 - fail2ban. This utility works in conjunction with IPTables to dynamically block offending IP addresses against this type of activity.

In either case, you can set how long you would like to ban the offending IP address.

2 - Snort + Ossec. Snort is a network based intrusion detection system and Ossec is a host based intrusion detection system. The two work in conjunction with each other to block the offending IP addresses against SSH and other, even more insidious forms of hacker activity. The security forum of Ubuntuforums.org has an excellent (sticky) howto post on installing and setting up both of these utilities.

I personally use all three. With Snort and Ossec, if you have a web page, you can have them collect data and store it in a database which can then be monitored and managed via a PHP based page.

 
Upvote 0 Downvote
Thanks - I'm going to check on those options later this evening when I get a chance to sit down a few minutes. I've heard of Snort on Sans, so I have a general idea of what it does...

 
Upvote 0 Downvote
I grabbed and installed DenyHosts - it seems to work really well on first glance and was very easy to set up. Now I'll just keep an eye on the logs for awhile and see how it does. Another nice thing is it appears to also be easily configured to block on failed access to other services as well.

Thanks for all the help.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

malpa
  • Locked
  • Question
block incoming snmp traps from ip
Replies
1
Views
177
malpa
malpa
Agent0007
  • Locked
  • Question
HELP Traffic Control of IP
Replies
2
Views
103
Agent0007
Agent0007
theniteowl
  • Locked
  • Question
Parsing data out of files
Replies
0
Views
89
theniteowl
theniteowl
samiramiss
  • Locked
  • Question
Unfamiliar behavior of "setdscp" in IPFW
Replies
0
Views
86
samiramiss
samiramiss
mkrutz
  • Locked
  • Question
Format of the Distinguished Name (DN)
Replies
0
Views
98
mkrutz
mkrutz

Part and Inventory Search

Sponsor

Back
Top