lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4404C495.2010202@kharkerlake.net>
Date: Tue Feb 28 21:46:14 2006
From: full-disclosure at kharkerlake.net (Christian "Khark" Lauf)
Subject: reduction of brute force login attempts via
	SSH	through iptables --hashlimit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

was fail2ban ( http://fail2ban.sourceforge.net/ ) already mentioned?
It works like -sk's script. It searches your auth.log (or wherever your
sshd messages go to) for all typical sshd failure-messages.

After a user-defined count of "n" login failures from one IP where
counted  in "x" user-defined seconds, it bans all traffic from that IP
for "t" seconds via iptables.
After "t" seconds the rule will be automatically delete.
On my Debian Sarge server it works quite well. (Included in Debian Etch,
Gentoo and RedHat packages are also available.)

But I haven't tested if fail2ban is vulnerable against DoS-Attacks, for
example if you spoof your IP with the IP of the gateway your server is
directly connected to. And then try to login via ssh on $victim_host
with the IP of $gateway.
 - Would have the side-effect that ALL incoming traffic will be dropped,
as long as the rule stays active.

iptables -L output shows the following for fail2ban chain:

##### Before - Empty ruleset #####
Chain fail2ban-SSH (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

##### After adding an IP to banlist #####
Chain fail2ban-SSH (1 references)
target     prot opt source               destination
DROP       all  --  shell.xxxxxxxxxx.de  anywhere
RETURN     all  --  anywhere             anywhere

Though, the iptables-commands can be easily changed in
/etc/fail2ban.conf (look for "fwban").


Just my 2 cents,
  Christian "Khark" Lauf
- --
Christian "Khark" Lauf <khark@...rkerlake.net>
GPG: 0x6AADC60A | IRCnet/silcnyet: Khark
silcnyet-Fingerprint: 9424 E3BF B637 E1FC E355 BA7C 01CC 1B68 3A1C E330
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)

iD8DBQFEBMSUAaLWKGqtxgoRApY8AJ47D5FfQ/bgIeZ6NSO9YF5hA6IarwCcDdQZ
ohVxfnuF+8FCfMbPYjHtgL4=
=KpTi
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ