[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <A54C844ED592544A8AA8EF69AAB040180348AA@sbswin001>
Date: Mon Sep 5 05:24:46 2005
From: mike.benjamin at clarinet.com.au (Michael L Benjamin)
Subject: FW: SSH Bruteforce blocking script
-----Original Message-----
From: Michael L Benjamin
Sent: Monday, September 05, 2005 12:04 PM
To: 'Gerald Holl'
Subject: RE: [Full-disclosure] SSH Bruteforce blocking script
Thank you.
Yes, I've used a similar script in the past to block hosts from Apache
log output.
This does have it's dangers if you are dealing with worms, you might be
blocking your own people if they become infected, so an exclusion list
is something I'm looking at adding in.
Please take note of the /tmp file issue others have highlighted in the
script, and make the appropriate changes to run securely. I'm working on
the next revision of the script based on the valuable input from people
here. I'll re-post it when I think it's worthy of being looked at again.
As you've recognised, this can be applied to a lot of situations where
logfile output is in an expected format, and you want to block the most
common attacks. I'll try and make it more flexible/useful and reduce the
level of hardcoding.
Cheers, Mike.
-----Original Message-----
From: full-disclosure-bounces@...ts.grok.org.uk
[mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Gerald
Holl
Sent: Sunday, September 04, 2005 04:00 AM
To: full-disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] SSH Bruteforce blocking script
On 2005-09-02 09:37, Michael L Benjamin wrote:
> Here is a simple script I've coded up that I use on 3 of my RedHat
> Enterprise Linux 3 (RHEL3) servers. I decided to do this after seeing
> the amount of activity from places like China/Korea/Taiwan in relation
> to SSH brute force probes. I'll throw it open here for
> analysis/suggestions. It leverages off the TCPWrappers /etc/hosts.deny
> /etc/hosts.allow functionality.
Hello,
Nice script!
Although I think it's a good way to list that brute force IPs in
/etc/hosts.deny there is another good script that uses iptables to block
the IPs:
http://fail2ban.sourceforge.net/
It works with apache logfiles too.
cheers,
--
Gerald Holl
http://holl.co.at
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists