Protecting against ssh brute-force attacks
Jeff Pitman
jeff.pitman at gmail.com
Thu Nov 3 20:07:39 UTC 2005
On 11/1/05, Nicolas Mailhot <nicolas.mailhot at laposte.net> wrote:
>
> Anyone tried them ? Care to recommend one or the other ?
>
Since the discussion focused on denyhosts, I installed pam_abl to see how it
stacked up. Wow. To sum it up in one word.
Now, I knew this brute force was coming through because I had cron's dumping
out saying what users were failing and crap. Running the included "pam_abl"
program, it reports some statistics and stuff that it did based on what had
happened.
For example, for failed hosts, I got the following in a couple of hours of
running it:
Failed hosts:
140.130.111.211 <http://140.130.111.211> (9)
Not blocking
219.149.13.154 <http://219.149.13.154> (7)
Not blocking
61-218-175-2.hinet-ip.hinet.net <http://61-218-175-2.hinet-ip.hinet.net>(4529)
Blocking users [*]
80.169.137.162 <http://80.169.137.162> (1)
Not blocking
Check that, 4529. Most of it was hitting root. There's also a report of
which users were tried (of course, we all knew about this coming from cron.)
and also the associated counts. My list is too long to be of use as an
example.
The CPU utilization is great. Maintained previous levels without any hit.
But, disadvantage is not having an iptables lockout of the hosts engaged in
their devious behaviors. This would be cool. Kind of get sick of the logs in
LogWatch. pam_abl does *not* alleviate the log problem.
--
-jeff
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-extras-list/attachments/20051103/3a9cba8c/attachment.htm>
More information about the fedora-extras-list
mailing list