lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Mon Sep  5 05:24:46 2005
From: mike.benjamin at clarinet.com.au (Michael L Benjamin)
Subject: FW: SSH Bruteforce blocking script

 

-----Original Message-----
From: Michael L Benjamin 
Sent: Monday, September 05, 2005 12:04 PM
To: 'Gerald Holl'
Subject: RE: [Full-disclosure] SSH Bruteforce blocking script


Thank you.

Yes, I've used a similar script in the past to block hosts from Apache
log output. 
This does have it's dangers if you are dealing with worms, you might be
blocking your own people if they become infected, so an exclusion list
is something I'm looking at adding in.

Please take note of the /tmp file issue others have highlighted in the
script, and make the appropriate changes to run securely. I'm working on
the next revision of the script based on the valuable input from people
here. I'll re-post it when I think it's worthy of being looked at again.

As you've recognised, this can be applied to a lot of situations where
logfile output is in an expected format, and you want to block the most
common attacks. I'll try and make it more flexible/useful and reduce the
level of hardcoding.

Cheers, Mike.
 

-----Original Message-----
From: full-disclosure-bounces@...ts.grok.org.uk
[mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Gerald
Holl
Sent: Sunday, September 04, 2005 04:00 AM
To: full-disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] SSH Bruteforce blocking script

On 2005-09-02 09:37, Michael L Benjamin wrote:
> Here is a simple script I've coded up that I use on 3 of my RedHat 
> Enterprise Linux 3 (RHEL3) servers. I decided to do this after seeing 
> the amount of activity from places like China/Korea/Taiwan in relation

> to SSH brute force probes. I'll throw it open here for 
> analysis/suggestions. It leverages off the TCPWrappers /etc/hosts.deny

> /etc/hosts.allow functionality.

Hello,

Nice script!
Although I think it's a good way to list that brute force IPs in
/etc/hosts.deny there is another good script that uses iptables to block
the IPs:
http://fail2ban.sourceforge.net/

It works with apache logfiles too.

cheers,
--
Gerald Holl
http://holl.co.at
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ