[gentoo-user] SSH brute force attacks and blacklist.py
I can't believe that I'm the only person with this, so it's probably worth asking. I'm one of the (many) people who has opportunists trying usernames and passwords against SSH... while every effort has been made to secure this service by configuration; strong passwords; no root login remotely etc. I would still prefer to block sites using obvious dictionary attacks against me. I used to use DenyHosts - but that became annoying as it used rather a lot of resources (and relied upon tcp wrappers... which, I'm informed are somewhat old-fashioned) I migrated to try using iptables as my firewall and using blacklist.py - which I got working after some minor config-tweaking. I'm aware that there is configuration in the blacklist.py script for BLOCKING_PERIOD - but what I really miss the blocked forever nature of the DenyHosts alternative though I prefer every other aspect of the iptables/blacklist.py approach. Has anyone else resolved this? As far as I'm concerned, once I detect someone has attempted a brute force (which blaclist.py does fantastically well) what I want is for no further communication to be accepted from the IP address - even after I reboot etc. While I don't know which sites I want to be accessible from in advance, I can be sure none of them would launch a brute force attack against me. :-) Recommendations? I'm looking for the neatest Gentoo way to do this... rather than recommendations for how to write something to do what I want from scratch... Steve -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] SSH brute force attacks and blacklist.py
On Wednesday 27 February 2008, Steve wrote: I migrated to try using iptables as my firewall and using blacklist.py - which I got working after some minor config-tweaking. I'm aware that there is configuration in the blacklist.py script for BLOCKING_PERIOD - but what I really miss the blocked forever nature of the DenyHosts alternative though I prefer every other aspect of the iptables/blacklist.py approach. blacklist.py seems to work well for you, so why not just set BLOCKING_PERIOD to it's maximum value? I would imagine that even after say one week the vast majority of zombie bots would have given up and moved on -- Alan McKinnon alan dot mckinnon at gmail dot com -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] SSH brute force attacks and blacklist.py
Steve schrieb: I can't believe that I'm the only person with this, so it's probably worth asking. I'm one of the (many) people who has opportunists trying usernames and passwords against SSH... while every effort has been made to secure this service by configuration; strong passwords; no root login remotely etc. I would still prefer to block sites using obvious dictionary attacks against me. I used to use DenyHosts - but that became annoying as it used rather a lot of resources (and relied upon tcp wrappers... which, I'm informed are somewhat old-fashioned) I migrated to try using iptables as my firewall and using blacklist.py - which I got working after some minor config-tweaking. I'm aware that there is configuration in the blacklist.py script for BLOCKING_PERIOD - but what I really miss the blocked forever nature of the DenyHosts alternative though I prefer every other aspect of the iptables/blacklist.py approach. Has anyone else resolved this? As far as I'm concerned, once I detect someone has attempted a brute force (which blaclist.py does fantastically well) what I want is for no further communication to be accepted from the IP address - even after I reboot etc. While I don't know which sites I want to be accessible from in advance, I can be sure none of them would launch a brute force attack against me. :-) Recommendations? I'm looking for the neatest Gentoo way to do this... rather than recommendations for how to write something to do what I want from scratch... Steve Try fail2ban. I started as newby on iptables and I still am, because it is very easy to configure and does it job perfect. http://gentoo-wiki.com/HOWTO_fail2ban http://www.fail2ban.org/wiki/index.php/Main_Page -- gentoo-user@lists.gentoo.org mailing list