Re: blocking IPs that try to crack SSH, is portsentry what I want?

• Previous message: Jonathan Kaye: "Re: Acroread: troubles with fullscreen"
• In reply to: Dr. David Kirkby: "Re: blocking IPs that try to crack SSH, is portsentry what I want?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Tue, 19 Apr 2005 12:12:28 +0100
To: debian-user@lists.debian.org

Dr. David Kirkby wrote:

> I have in the past took this approach, and still do in my firewall for
> one or two odd IP's. I wrote a script to update the ruleset in ipfilter
> (I use mainly a Sun) and to block IP's that were attacking my web server.
>
> However, after discussing this with many others, I am not convinced it
> is such a good idea.
>
> It is not that hard to spoof the IP address. What happens if the spoof
> IP is your DNS server? Suddenly DNS does not work. Or how about the IP
> address of Google, or search engine spiders? It sounds good, but I
> belive it practice it can lead to more problems than it solves.

How about a Perl program run from a cron job to do the following?

1. Scan auth.log for lines that match something approximately like this
   /^.+sshd.+Illegal user.+(\d+\.\d+\.\d+\.\d+).*$/
   so $1 is the IP address, and increment the value of a hash with the
   IP as the key.

2. For any IP with more than 3 (for example) attempts, add a line
   "sshd: $ip # banned at $datetime\n"
   to /etc/hosts.deny (if it doesn't already contain $ip).

This would block only sshd, not DNS or any other services. For improved
efficiency it could use logtail or something similar instead of scanning
the whole auth.log file.

-- 
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

• Previous message: Jonathan Kaye: "Re: Acroread: troubles with fullscreen"
• In reply to: Dr. David Kirkby: "Re: blocking IPs that try to crack SSH, is portsentry what I want?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages Re: Multi Site Hosting ... make out that wont be the part which facilitates having a web server most ... My prior understanding was by having DNS records locally for the respective ... I would have assumed you needed SBS for its DNS? ... >>> put it on another machine running windows web server 2003 and direct the ... (microsoft.public.windows.server.sbs) Re: A Big Mess ... issue or a little of both so I am going to cross post to both discussion ... * I have set up a new web server behind a firewall. ... Web server also acts as DNS server ... Internet correctly. ... (microsoft.public.windows.server.dns) Re: Web Edition come with DNS services? ... However, if you're talking about an internet facing web server, you need ... some sort of DNS service too. ... intended application will run fine on 1GB-2GB of RAM, ... (microsoft.public.windows.server.general) Re: is it possible to set up a web server on a computer in a local area network? ... >>much about the DNS or DMZ. ... lets you set up "port forwarding" or "services" (depending on the maker. ... > If your Web server should be visible from the internet you should do: ... (Fedora) Re: can dns take 1 ip and use cname to trans? ... I myself am responding to other people's lack of planning, ... For various reasons a short ttl was rejected. ... Mainly our ISP cannot guarantee an immediate response for making DNS updates. ... Planning ahead would have the new web server online in the dmz and tested from inside/outside. ... (microsoft.public.win2000.dns)