[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <456C7337.9060103@infiltrated.net>
Date: Tue, 28 Nov 2006 12:34:47 -0500
From: "J. Oquendo" <sil@...iltrated.net>
To: Anders B Jansson <hdw@...listi.se>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: SSH brute force blocking tool
Anders B Jansson wrote:
> Just one possibly silly question.
>
> Why are you working so hard to do this with complex scripts and stuff?
>
> I just wrote a little C snippet that runs on the firewall.
> All servers allowing external ssh send a copy of ssh auth to a port
> on the firewall.
>
> If it detects a brute force it adds the host to the block list and
> everything from that host is silently dropped.
>
> Added a whitelist function to avoid DOS attempts.
>
> Works perfect, and adds community service by letting the trawlers
> hang until they timeout.
>
The purpose of this wasn't to reinvent the wheel. It was to allow those
using the tool to report the addresses of anyone brute forcing ssh.
These addresses are going to be posted for others to see. Something like
an RBL for brute forcers.
--
====================================================
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743
sil . infiltrated @ net http://www.infiltrated.net
The happiness of society is the end of government.
John Adams
Download attachment "smime.p7s" of type "application/x-pkcs7-signature" (5157 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists