| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4C22386D.8080409@baribault.net> Date: Wed, 23 Jun 2010 12:38:05 -0400 From: Gary Baribault <gary@...ibault.net> To: full-disclosure@...ts.grok.org.uk Subject: Re: targetted SSH bruteforce attacks In this attack, there's no need to throttle, the attacking computers hit it once every 15 seconds or so from many different sources. My denyhosts is not blocking 99.999% of the attempts. Gary Baribault Courriel: gary@...ibault.net GPG Key: 0x685430d1 Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1 On 06/23/2010 12:33 PM, Cody Robertson wrote: > On 6/23/10 4:22 AM, yersinia wrote: > >> On Thu, Jun 17, 2010 at 4:21 PM, Samuel MartÃn Moro <faust64@...il.com>wrote: >> >> >>> I also don't want to change my ssh port, nor restrict incoming IPs, ... and >>> I use keys only to log in without entering password. >>> So you're not alone. >>> I had my IP changed several times, my servers are only hosting personal >>> data. >>> But I'm still seeing bruteforce attemps in my logs. >>> >>> Here's something I use on my servers. >>> In cron, every 5-10 minutes, that should do it. >>> Of course, if you're running *BSD, pf is way more interesting to do that. >>> >>> Perhaps could be better to use something standard as fail2ban >>> >> http://www.ducea.com/2006/07/03/using-fail2ban-to-block-brute-force-attacks/? >> >> >> >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > If you have iptables it has ways you can do this throttle too many > connections within a specified period. I much prefer using something > such as this over third party software. > > I'm sure you can do this in PF however I'm not familiar with it enough > to be certain (I'd be surprised if you couldn't however). > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists