uralmasha Posted June 10, 2005 Report Share Posted June 10, 2005 (edited) Hi! I looked at /var/log/auth and discovered that there is someone(s) trying to log in in my machine via ssh, apparently using a dumb password permutations, with 30-35 times per minute. I have a firewall in the router already, and shorewall is running as well, but some ports like 22 I need myself, so I cannot just close them. Is there a possibiliy to block some IPs for awhile automatically after say N attempts to log in? Wouldn't like to make that example, but on Wi... another operating system, Norton Firewall does just that: block suspiciously active IP's for half an hour (not for attmpting to log in, but for port scans, but still). It would be nice and saved some tons of packages sent over the internet. I use Mandriva LE, shorewall is running. There is a small database and web server on the machine that is always on-line. Edited June 10, 2005 by uralmasha Quote Link to comment Share on other sites More sharing options...
Qchem Posted June 10, 2005 Report Share Posted June 10, 2005 You might be able to do something with portsentry Quote Link to comment Share on other sites More sharing options...
ddmcse Posted June 10, 2005 Report Share Posted June 10, 2005 how about deny ALL on port 22 EXCEPT your remote IP unless you are using a dynamic remote IP Quote Link to comment Share on other sites More sharing options...
uralmasha Posted June 11, 2005 Author Report Share Posted June 11, 2005 (edited) how about deny ALL on port 22 EXCEPT your remote IP unless you are using a dynamic remote IP <{POST_SNAPBACK}> Yes, indeed, the remote IP and domain name is different every time, I cannot rely on that. I'll have a look at portsentry. Edited June 11, 2005 by uralmasha Quote Link to comment Share on other sites More sharing options...
mrmagoo Posted June 12, 2005 Report Share Posted June 12, 2005 (edited) Try the psad portscan detector at http://www.cipherdyne.org/psad/ Perhaps, you may want to try some security through obscurity by configuring sshd to make it listen to another port. Most ssh clients let you specify another port to connect to. I forgot to mention the iptables psd (portscan detection) match. See its description at http://www.netfilter.org/patch-o-matic/pom-base.html I haven't tried it (Status: Stable for 2.4.x) Edited June 12, 2005 by mrmagoo Quote Link to comment Share on other sites More sharing options...
uralmasha Posted June 13, 2005 Author Report Share Posted June 13, 2005 (edited) mrmagoo, thank you. I looked at the psd match that you recommended. I believe this is not exactly what I wanted, although I may need it later, too. My concern so far is only about brute-force attacks. Nevertheless, your link brought me to another iptables match: "recent" (and the right keywords to dig further). For future reference: In this thread of netfilter mailing list there is a script that does just that: blocks a nuisance IP for awhile. Thank you! Update: If someone are using Shorewall, they might also be interested in the Shorewall action script that does the same thing: 1. Shorewall mailing list or 2. Jürgen Kreileder blog Both are quite similar and won't work with the 2.0 version shipped with Mandriva LE, but on the shorewall home page there is a pointer to the Mandriva RPMs of version 2.4. Edited June 30, 2005 by uralmasha Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.