[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Stopping SSH dictionary attacks?

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Stopping SSH dictionary attacks?
From: Chris Weiss <cweiss_(_at_)_casadelove_(_dot_)_com>
Date: Tue, 21 Dec 2004 09:52:48 -0800

So I notice in my authlog that someone's been hitting my SSH daemon with a 'dictionary' username attack from multiple IPs. It's not really causing too much trouble (I've only got one name in the AllowUsers config option), but I sure would like to put a stop to it.

I was really hoping that the SSHD had some sort of timeout for authorization failures that would cause the daemon to reject any further attempts from a failed IP for x minutes after x failed attempts, but there doesn't seem to be that facility - am I missing something?

The box with the SSH Daemon is behind an IPCop firewall that port-forwards the SSH port.

One solution I'm considering is writing a script that parses authlog every hour or so and adds any IPs with more than x failed login attempts to ipcop/etc/hosts_deny, am I on the right track with this (has someone already done it - I'm a big fan of not re-inventing the wheel)?


--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.296 / Virus Database: 265.6.2 - Release Date: 12/20/2004


--
This message has been scanned for viruses and
dangerous content, and is believed to be clean.

Follow-Ups:
- Re: Stopping SSH dictionary attacks?
  - From: Juan J. Martinez
- Re: Stopping SSH dictionary attacks?
  - From: James Doherty
- Re: Stopping SSH dictionary attacks?
  - From: Adriaan
- Re: Stopping SSH dictionary attacks?
  - From: Ingo Schwarze
- Re: Stopping SSH dictionary attacks?
  - From: Kitty

Prev by Date: Re: Please help me answer this Guy!!
Next by Date: Re: [pf] number of rule (fwd)
Previous by thread: Re: Gathering information after system crash
Next by thread: Re: Stopping SSH dictionary attacks?
Index(es):
- Date
- Thread

Visit your host, monkey.org