[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Stopping SSH dictionary attacks?
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Stopping SSH dictionary attacks?
- From: Chris Weiss <cweiss_(_at_)_casadelove_(_dot_)_com>
- Date: Tue, 21 Dec 2004 09:52:48 -0800
So I notice in my authlog that someone's been hitting my SSH daemon with
a 'dictionary' username attack from multiple IPs. It's not really
causing too much trouble (I've only got one name in the AllowUsers
config option), but I sure would like to put a stop to it.
I was really hoping that the SSHD had some sort of timeout for
authorization failures that would cause the daemon to reject any further
attempts from a failed IP for x minutes after x failed attempts, but
there doesn't seem to be that facility - am I missing something?
The box with the SSH Daemon is behind an IPCop firewall that
port-forwards the SSH port.
One solution I'm considering is writing a script that parses authlog
every hour or so and adds any IPs with more than x failed login attempts
to ipcop/etc/hosts_deny, am I on the right track with this (has someone
already done it - I'm a big fan of not re-inventing the wheel)?
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.296 / Virus Database: 265.6.2 - Release Date: 12/20/2004
This message has been scanned for viruses and
dangerous content, and is believed to be clean.