Re: SSH Cracking Attempts

• Previous message: Nicolas: "Re: SSH Cracking Attempts"
• In reply to: Jacob S: "SSH Cracking Attempts"
• Next in thread: Jacob S: "Re: SSH Cracking Attempts"
• Reply: Jacob S: "Re: SSH Cracking Attempts"
• Reply: Francois Cerbelle: "Re: SSH Cracking Attempts"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Wed, 29 Sep 2004 21:55:59 +0200
To: debian-user@lists.debian.org

On Wed, 29 Sep 2004 21:10:24 +0200, Jacob S <stormspotter@6Texans.net>
wrote:

> So, my question is this. Is there a way to tell ssh to refuse
> connections from an ip address after a certain number of failed login
> attempts, or is snort the only way to do something like this? So far
> I've been taking the manual approach, blocking the ip address with
> my firewall after I see it hitting the logs, but that can give them
> about an hour to play before I notice it (e-mailed to me by logcheck).

It's not really what you're asking, but:
In the dutch computer magazine C't, I read an article a few months ago
about protecting your computer using a port knocking system. If I
remember correctly, you can close a port (your SSH port, for example)
and only open it when a pre-defined pattern of access attempts on a
pre-defined port (unused for applications) is applied. The SSH port
can then be set to open in your firewall, perhaps only for the
IP-adress that performed the knocking sequence.

That way, the SSH port is closed and only someone who knows the
appropriate port knocking sequence can open the port - and then set up
an SSH session. Your ssh logfile should then no longer show up illegal
access attempts.

Some applications were named in the article - if you want, I can look
them up and post the names.

-- 
Matthijs
vanaalten@hotmail.com
-- 
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

• Previous message: Nicolas: "Re: SSH Cracking Attempts"
• In reply to: Jacob S: "SSH Cracking Attempts"
• Next in thread: Jacob S: "Re: SSH Cracking Attempts"
• Reply: Jacob S: "Re: SSH Cracking Attempts"
• Reply: Francois Cerbelle: "Re: SSH Cracking Attempts"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages Re: Ive been hacked, found mldonkey running ... I had an open FTP port which I normally keep closed but I ... The machine that was compromised with mldonkey is running ... Is it possible to get through an ssh port if RSA ... (comp.os.linux.security) Re: Port Forwarding - Firewall Traversal ... I don't know about THIS situation as I don't know Oracle but port ... forwarding HTTP is TOTALLY ssh port forwarding ... The HTTP protocol is not ssh port fwding friendly. ... (SSH) Re: ipfw and temporary port access ... I am trying to figure out how to open a port temporarily for a specific IP who is able to provide a proper username and password on the website of the box. ... Opens ssh port to specifically to the IP address grabbed in step 1 but also keeps ssh port open to statically defined IPs in /etc/rc.firewall. ... As soon as the user disconnects from the ssh port the IP address in step 1 no longer can access the ssh port unless they log back in like the procedure in step 1. ... (freebsd-questions) Re: Im getting attacked ... Move the ssh port to a high port number. ... companies frequently block access to non-standard ports. ... (comp.os.linux.security) Re: Need advice about breakin attempt ... > It looks like the cracker could try port knocking, too, couldn't he? ... A sequential scan will always leave the SSH port closed. ... than the 100% opened you had before port knocking. ... The problem with the world is stupidity. ... (alt.os.linux)