OT: sshdfilter [was: Re: Server is back up]

Scott Minster scott at minsters.us
Mon Jan 16 07:21:03 EST 2006


Chris Shoemaker wrote:
> I didn't know about ipt recent.  I've been using:
> -A RH-Firewall-1-INPUT -i eth0 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name sshscans
> -A RH-Firewall-1-INPUT -m recent --rcheck --seconds 60 --hitcount 5 --name sshscans -j LOG --log-prefix "SSH attack: "
> -A RH-Firewall-1-INPUT -m recent --rcheck --seconds 60 --hitcount 5 --name sshscans -j DROP

Off-topic, but I've been using sshdfilter for a while now, and it seems
to limit the number of brute force attack attempts on my SSH server.

http://www.csc.liv.ac.uk/~greg/sshdfilter/

The script wraps sshd and watches its output for illegal user attempts
or bad passwords.  Enough of either, and it adds the source IP to an
iptables rule to be dropped.  After a while, the IP gets removed from
the rule, but that's usually after the scanner has moved on.

I'm not sure how well this would work with a higher traffic SSH server.

-- 
Scott

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
Url : http://lists.gnucash.org/pipermail/gnucash-devel/attachments/20060116/ed64c97b/signature.bin


More information about the gnucash-devel mailing list