| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed Mar 1 18:49:09 2006 From: linux-fan at onda.com.br (Giancarlo Razzolini) Subject: reduction of brute force login attempts via SSH through iptables --hashlimit GroundZero Security wrote: > Well i had a few minutes time, so i updated the script a bit. > > I did not use lastb though, as it wouldnt work (read the manpage.....) > Anyhow, maybe someone found it usefull so here is v.0.2 : > > http://www.groundzero-security.com/code/bruteforce-block.sh > > Any suggestions are welcome, insults and flames can be sent to /dev/null > > -sk > > GroundZero Security Research and Software Development > http://www.groundzero-security.com > > Wir widersprechen der Nutzung oder ?bermittlung unserer Daten > f?r Werbezwecke oder f?r die Markt- oder Meinungsforschung (? 28 Abs. 4 BDSG). > > pub 1024D/69928CB8 2004-09-27 Stefan Klaas <sk@...undzero-security.com> > sub 2048g/2A3C7800 2004-09-27 > > Key fingerprint = A93E 41F8 7E82 5F2C 3E76 41F1 4BCF 3096 6992 8CB8 > > -----BEGIN PGP PUBLIC KEY BLOCK----- > Version: GnuPG v1.0.6 (GNU/Linux) > Comment: For info see http://www.gnupg.org > > mQGiBEFX440RBADGTKOgZR9Y9VA/cfNLWTIN/OmXe9l6UZJ6pY8Hqcv6DFE//Kt9 > UfQMU470i+I7SvIHZN066Kl4ts4r90sLxXrE4r5VQCLTsJM68cliatrM8MbbZZs+ > xf3ldelZrHNvHkXDk4I/n3O56F9M6tZ/S71AIj++raIbFX57fn8Z8NNOnwCgwDr6 > LDVP+5N4DML1/+uvXNtoL30D/A/GUXd6lJ8i7MoZMzwKk1uwDsgWwP+Wm0hMwJMr > fR/di9K55pGdlGFNO5P2L3qOl2BaC8raNkLcXaweW+bao3P66nzpdtmecsjCMWq2 > tQWgu/O7S1FgzlUAKJSOc2Th5PY9Raum8bXnSv4gnHZCKjNskIdrz8WDxCzEoPtZ > eCssA/9ydHRvNIPjOTmzjXoE+UbJrB/U//u3dpAsLkzclKeSgjV2eYUgHGcqYn+H > cFoubD78yFWqZqYtxfiyjBlItsIn9ls0gAZFKDFHd1XfOLFSa0/NHNpHLxCZGFIA > tQ0Gp47VRmTPkWJ7lB505w0XioNs1H/1K1RSp++7+t1SNkBlobQpU3RlZmFuIEts > YWFzIDxza0Bncm91bmR6ZXJvLXNlY3VyaXR5LmNvbT6IVwQTEQIAFwUCQVfjjQUL > BwoDBAMVAwIDFgIBAheAAAoJEEvPMJZpkoy4AnYAmwTot1PMUty1YoCuMVg6cpr7 > HKy1AJ98jyzD365YkIQAEiihXlQJ4zrxBLkCDQRBV+OvEAgAiu75prsTQZdNijtY > eMQhl4tEL8qi8JOFluYGnvPYjDzU0PY9E4mNx/w2BgYcM3lTVzSmaiLEJ1AzeOHn > w+pLDWsorRZuVI9q3+ExW3s2yFX4ppdHAVBMuYsQyVJRkbobCkcwTbUYXr23pKzh > D8WRAJ991k2lNcQHxMgixAN+55XBFLhwLB0Yz7XmhFYLid5dLxdPllLIV3ZHDeY0 > SEqMSpw96+gV0QpX7YH9U2VBr3Wz7Ss6qNZkcgHQw1xmk6Yy24QnT4a9oZD06Yjr > cCocXnyI/YLW1wXo/6Hh44UH3b9mKUX6eh8ybn7QCnZDG7AdxbglLiPTkdcx0YoT > NANZBwADBwf8CrjVKiXSzyhUsdH1es1KQCZ/zH6PvPzdxqYuGuVVMzgaJeeOMS2G > 4rLfw2ILahAS0fjng6zX2c1ndPVJ6oAq3IygWsqJH6Uh23NmKTlyx3KtSgyW7YsB > Rn/4wobuojArTHTl+X3U4JZTUEb9E4osB9bFjdsgXcxNSwXghQMh1x5eS5/fcjLd > tACNq0x2/zh8zTJFHK+oNCLY2+iBjTUn7K03rEhQo6HqbPYwyc3LUCwBuFHFDVWp > bZqa4knO0H5BBmbiI09kaVPOs0qRLXCAf1oy9PxK5ZBJ4WfQAnMAU+TuNrTuW2SU > NMh92TCELdDpl/pMDbbBGeJdMvXZmY99HIhGBBgRAgAGBQJBV+OvAAoJEEvPMJZp > koy4p1QAoIaYw3VxA0/mixUsMO4R13sXIL/pAJ9zodR+A9+bLqCRlVusG8JhItv1 > Ow== > =E0o1 > -----END PGP PUBLIC KEY BLOCK----- > > Diese E-Mail kann vertrauliche Informationen enthalten. Wenn Sie nicht der > richtige Adressat sind oder diese E-Mail irrt?mlich erhalten haben, informieren > Sie bitte sofort den Absender und vernichten Sie diese E-Mail. > Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser E-Mail oder von > Teilen dieser E-Mail ist nicht gestattet. > > This E-mail might contain confidential information. If you are not the right addressee > or you have recived this Mail in error, please inform the Sender as soon as possible > and delete this E-Mail immediately. You are not allowed to make any copies or > relay this E-Mail. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > 2 good solutions to this problem are: 1) put sshd to listen on a port that nmap or other port scanner doesn't scan by default (> 60000, as example). 2) Completely disable password authentication and leave only public key authentication enabled. Much more secure, as there is no password, except the one used to unlock the secret key, on the client's machine, which is never sent on the wire. Whit these 2 measures, you avoid a lot, if not eliminate completely, brute force attacks. And using other methods as --hashlimit from iptables and other methods from other firewall solutions, or even a port knocking system, may solve this problem better, then running log analyzers that detects these attempts and blocks the attackers in "real time". My 2 cents, -- Giancarlo Razzolini Linux User 172199 Moleque Sem Conteudo Numero #002 Slackware Current Snike Tecnologia em Inform?tica 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060301/51979028/signature.bin
Powered by blists - more mailing lists