brute force ssh login attempts and how to Disrupt them

---

• From: Martin McCormick <martin@xxxxxxxxxxxxxxxxxx>
• Date: Thu, 16 Nov 2006 06:25:59 -0600

---

One day, I noticed one of those attacks starting. What
got my attention was the fact that the room was quiet. My head
was near the system, and I heard a rhythmic tick-tock coming from
the main hard drive, about once per second, sort of like a
heartbeat. I got curious and looked in the logs and there this
moron was in auth.log doing his thing. There wasn't much else
important going on at the time so I just pulled the Ethernet
cable and, of course, the tick-tock stopped. I bet I didn't have
it disconnected more than 10 or 15 seconds, but when I put it
back, the idiot was gone so apparently, the script gives up
pretty easily.

I wrote a C filter at work on our FreeBSD boxes that all
use ipfw to monitor the syslog for the "no identification strin
gfrom" message that these scripts generate first, and then make a
rule that slams the door on these kiddies. Every week, I empty
the jail and clear out the rules that were created. I think now
that I probably could just have the rule in for 30 seconds or so
and get rid of most of the headaches.

I haven't created anything similar for Linux yet or I
would be happy to let folks try it out.

Martin McCormick WB5AGZ Stillwater, OK
Systems Engineer
OSU Information Technology Department Network Operations Group


--
To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx
with a subject of "unsubscribe". Trouble? Contact listmaster@xxxxxxxxxxxxxxxx

---

• Follow-Ups:
  • Re: brute force ssh login attempts and how to Disrupt them
    • From: s. keeling
  • Re: brute force ssh login attempts and how to Disrupt them
    • From: John L Fjellstad
  • Re: brute force ssh login attempts and how to Disrupt them
    • From: Hans du Plooy
  • Re: brute force ssh login attempts and how to Disrupt them
    • From: martin f krafft

• Prev by Date: test2 please ignore
• Next by Date: Re: Installing Debian
• Previous by thread: test2 please ignore
• Next by thread: Re: brute force ssh login attempts and how to Disrupt them
• Index(es):
  • Date
  • Thread

---

Relevant Pages RE: forwarding logs ... Same with another script. ... >> You should not need to cange anything in the log script itself. ... >> Reuben D. Budiardja ... (RedHat) RE: forwarding logs ... Same with another script. ... >> You should not need to cange anything in the log script itself. ... >> Reuben D. Budiardja ... (RedHat) Re: CD to acc ... I m learning python, so thought i should write small py script to ... os.system (cmd) ... Run this script, while you are in the mounted CD ROM dir... ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx with a subject of "unsubscribe". ... (Debian-User) RE: export question ... environment, but that is what export is supposed to do. ... 'set' command. ... It *is* set in the sub-process created when you run the script. ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx ... (Debian-User)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• Mailing-Lists
• Newsgroups
• About
• Privacy
• Search
• Imprint

linux.derkeiler.com  > Mailing-Lists  > Debian  > 2006-11