Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: reduction of brute force login attempts via SSH through iptables --hashlimit
From: "Christian \"Khark\" Lauf" <full-disclosure () kharkerlake net>
Date: Tue, 28 Feb 2006 22:45:57 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

was fail2ban ( http://fail2ban.sourceforge.net/ ) already mentioned?
It works like -sk's script. It searches your auth.log (or wherever your
sshd messages go to) for all typical sshd failure-messages.

After a user-defined count of "n" login failures from one IP where
counted  in "x" user-defined seconds, it bans all traffic from that IP
for "t" seconds via iptables.
After "t" seconds the rule will be automatically delete.
On my Debian Sarge server it works quite well. (Included in Debian Etch,
Gentoo and RedHat packages are also available.)

But I haven't tested if fail2ban is vulnerable against DoS-Attacks, for
example if you spoof your IP with the IP of the gateway your server is
directly connected to. And then try to login via ssh on $victim_host
with the IP of $gateway.
 - Would have the side-effect that ALL incoming traffic will be dropped,
as long as the rule stays active.

iptables -L output shows the following for fail2ban chain:

##### Before - Empty ruleset #####
Chain fail2ban-SSH (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

##### After adding an IP to banlist #####
Chain fail2ban-SSH (1 references)
target     prot opt source               destination
DROP       all  --  shell.xxxxxxxxxx.de  anywhere
RETURN     all  --  anywhere             anywhere

Though, the iptables-commands can be easily changed in
/etc/fail2ban.conf (look for "fwban").


Just my 2 cents,
  Christian "Khark" Lauf
- --
Christian "Khark" Lauf <khark () kharkerlake net>
GPG: 0x6AADC60A | IRCnet/silcnyet: Khark
silcnyet-Fingerprint: 9424 E3BF B637 E1FC E355 BA7C 01CC 1B68 3A1C E330
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)

iD8DBQFEBMSUAaLWKGqtxgoRApY8AJ47D5FfQ/bgIeZ6NSO9YF5hA6IarwCcDdQZ
ohVxfnuF+8FCfMbPYjHtgL4=
=KpTi
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault