Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Honeypots: Re: Displaying SSH password attempts

Re: Displaying SSH password attempts

From: Harry Hoffman <hhoffman_at_ip-solutions.net>
Date: Wed, 05 Jul 2006 11:52:44 -0400

why not just use port-knocking to allow iptables to grant access to port 22?

http://www.cipherdyne.org/fwknop/

That way it's closed off to the whole world until you decide you want it
open from a specific IP address.

--Harry 

-- 
Harry Hoffman
Integrated Portable Solutions, LLC
877.846.5927 ext 1000
http://www.ip-solutions.net/
Valdis.Kletnieks_at_vt.edu wrote:
> On Wed, 05 Jul 2006 16:48:02 +0200, Nikola said:
> 
>> When one of the servers detects 5 logins in a row from the same IP ADDRESS
>> in given time it marks that IP and stores it in database...and when 
>> other hosts
>> detect failed logins...they check database and if host is marked BAD the put
>> it in IPTABLES -j DROP.
>>
>> With this approach I have ring of detect/protect system that guards from
>> potential 31337 crackers ......
>>
>> Whole idea is bigger than this...but i leave it to your 
>> imagination....because
>> it's really easy to extend this idea to anything......
> 
> In many cases, it's a lot easier to just use iptables or Windows IPSEC
> filtering to only allow packets from the 2 or 3 /16's of addresses that *should*
> be connecting, and just deny the others.
> 
> Remember - estimates are from 1 to 10 million zombie boxes out there. Trying
> to ban them one by one is a losing proposition, they're being created faster
> than you can ban them.
Received on Jul 05 2006
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos