Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

fulldisclosure logo Full Disclosure mailing list archives

RE: SSH Bruteforce blocking script
From: "Michael L Benjamin" <mike.benjamin () clarinet com au>
Date: Mon, 5 Sep 2005 11:50:54 +0800
 
Thanks miah,

I wasn't aware of this functionality in iptables. It doesn't offer the
kind of permanency or logging that
I might want, but it's a good suggestion nonetheless for other
services/situations.

Mike.


-----Original Message-----
From: full-disclosure-bounces () lists grok org uk
[mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of miah
Sent: Friday, September 02, 2005 11:56 PM
To: full-disclosure () lists grok org uk
Subject: Re: [Full-disclosure] SSH Bruteforce blocking script

If you're running iptables why not make use of hashlimit?  Once a limit
is reached all connection attempts from that IP would be blocked until
the hash entry expires.

An example pulled from the web:
iptables -A INPUT -m hashlimit -m tcp -p tcp --dport 22 --hashlimit \
1/min --hashlimit-mode srcip --hashlimit-name ssh -m state \ --state NEW
-j ACCEPT

https://www.redhat.com/archives/fedora-test-list/2005-August/msg00061.ht
ml
http://tinyurl.com/94fak

Also, don't forget to man iptables or iptables -m hashlimit -h 

-miah

On Fri, Sep 02, 2005 at 07:33:02PM +0800, Michael L Benjamin wrote:



-----Original Message-----
From: full-disclosure-bounces () lists grok org uk
[mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Pedro 
Hugo
Sent: Friday, 2 September 2005 05:53 PM
To: full-disclosure () lists grok org uk
Subject: Re: [Full-disclosure] SSH Bruteforce blocking script

Hi,


I don't want to debate the goodness or badness of the strategy of 
blocking hosts like this in /etc/hosts.deny. It works perfectly for 
me, and most likely would for you, so no religious debates thanks. 
It's effective at blocking bruteforce attacks. If a host EXCEEDS a 
specified number of guesses during the (configurable) 30 seconds it 
takes the script to cycle, the host is blacklisted.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]