lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <Pine.GSO.4.43.0509061723290.4699-100000@tundra.winternet.com>
Date: Tue Sep  6 23:26:53 2005
From: dufresne at winternet.com (Ron DuFresne)
Subject: SSH Bruteforce blocking script



And yet, if one was reading the netfilter lists and looking for something
more robust, there is a script that has been maintained for a number of
months now that I'm sure will fit your needs.  I'm too busy and lazy to
get the link to it, but a simple google search should point it out and the
whole set fo nearly bi monthly threads that covers it and it's variants in
detail.

Yet, where one can limit, limiting access to sshd these days is prefered,
as openssl and the openssh code tend to be quite the problem with
maintainance, almost like the 90's with ftpd and sendmail....


Thanks,

Ron DuFresne


On Mon, 5 Sep 2005, Michael L Benjamin wrote:

>
> Thanks miah,
>
> I wasn't aware of this functionality in iptables. It doesn't offer the
> kind of permanency or logging that
> I might want, but it's a good suggestion nonetheless for other
> services/situations.
>
> Mike.
>
>
> -----Original Message-----
> From: full-disclosure-bounces@...ts.grok.org.uk
> [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of miah
> Sent: Friday, September 02, 2005 11:56 PM
> To: full-disclosure@...ts.grok.org.uk
> Subject: Re: [Full-disclosure] SSH Bruteforce blocking script
>
> If you're running iptables why not make use of hashlimit?  Once a limit
> is reached all connection attempts from that IP would be blocked until
> the hash entry expires.
>
> An example pulled from the web:
> iptables -A INPUT -m hashlimit -m tcp -p tcp --dport 22 --hashlimit \
> 1/min --hashlimit-mode srcip --hashlimit-name ssh -m state \ --state NEW
> -j ACCEPT
>
> https://www.redhat.com/archives/fedora-test-list/2005-August/msg00061.ht
> ml
> http://tinyurl.com/94fak
>
> Also, don't forget to man iptables or iptables -m hashlimit -h
>
> -miah
>
> On Fri, Sep 02, 2005 at 07:33:02PM +0800, Michael L Benjamin wrote:
> >
> >
> > -----Original Message-----
> > From: full-disclosure-bounces@...ts.grok.org.uk
> > [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Pedro
> > Hugo
> > Sent: Friday, 2 September 2005 05:53 PM
> > To: full-disclosure@...ts.grok.org.uk
> > Subject: Re: [Full-disclosure] SSH Bruteforce blocking script
> >
> > Hi,
> >
> > >I don't want to debate the goodness or badness of the strategy of
> > >blocking hosts like this in /etc/hosts.deny. It works perfectly for
> > >me, and most likely would for you, so no religious debates thanks.
> > >It's effective at blocking bruteforce attacks. If a host EXCEEDS a
> > >specified number of guesses during the (configurable) 30 seconds it
> > >takes the script to cycle, the host is blacklisted.
> > >
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

-- 
"Sometimes you get the blues because your baby leaves you. Sometimes you get'em
'cause she comes back." --B.B. King
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ