SSH and login attack
Dan Hollis
goemon at anime.net
Sat Jun 18 14:27:21 UTC 2005
On Sat, 18 Jun 2005, Mike Pepe wrote:
> Thomas Cameron wrote:
> > These attacks appear to me to fire multiple concurrent connections to
> > get around the delay.
> Possibly. I found a script out there and modified it a bit, this will
> block the attacker after opening up 3 concurrent connections in 60 seconds:
I prefer pam_abl myself: http://www.hexten.net/sw/pam_abl/index.mhtml
It automatically blacklists IPs which fail more than X logins in a
user-specified time. All attempts after that fail, even if the user+pass
supplied is correct.
Firewalling miscreants out is a dead giveaway for them, so they give up
and immediately move on to the next victim. pam_abl is nice because it makes
them waste their time.
Jun 13 05:18:47 sasami pam_abl[7593]: Blocking access from 210.0.178.146 to service sshd, user root
[...]
Jun 16 04:44:15 sasami pam_abl[20188]: Blocking access from 202.76.92.199 to service sshd, user root
[...]
Jun 16 07:15:28 sasami pam_abl[40]: Blocking access from mail.estudio-jardo.com.ar to service sshd, user mysql
Jun 16 07:31:33 sasami pam_abl[26812]: Blocking access from mail.estudio-jardo.com.ar to service sshd, user root
Jun 16 07:31:38 sasami pam_abl[13388]: Blocking access from mail.estudio-jardo.com.ar to service sshd, user root
Jun 16 07:31:43 sasami pam_abl[7209]: Blocking access from mail.estudio-jardo.com.ar to service sshd, user root
<3 <3 <3 <3 <3
It warms the heart to watch all these criminals waste their time bouncing off your auto-blacklist.
-Dan
More information about the fedora-test-list
mailing list