Re: ssh scans

To: David Wetzel <dave%turbocat.de@localhost>
Subject: Re: ssh scans
From: Chuck Swiger <cswiger%mac.com@localhost>
Date: Mon, 26 Oct 2009 13:35:20 -0700

On Oct 26, 2009, at 12:42 PM, David Wetzel wrote:

I am seeing a lot of ssh scans and I am wondering if somebody has asolution like adding the bad hosts temporary to pf.conf or so?


Consider denyhosts & bruteforceblocker:

DenyHosts is a script intended to be run by *ix system administrators to
help thwart ssh server attacks.

If you've ever looked at your ssh log (/var/log/auth.log ) you may bealarmed

to see how many hackers attempted to gain access to your server.
Denyhosts helps you:
- Parses /var/log/auth.log to find all login attempts
- Can be run from the command line, cron or as a daemon (new in 0.9)
- Records all failed login attempts for the user and offending host
- For each host that exceeds a threshold count, records the evil host

- Keeps track of each non-existent user (eg. sdada) when a loginattempt failed.- Keeps track of each existing user (eg. root) when a login attemptfailed.

- Keeps track of each offending host (hosts can be purged )
- Keeps track of suspicious logins
- Keeps track of the file offset, so that you can reparse the same file
- When the log file is rotated, the script will detect it
- Appends /etc/hosts.allow
- Optionally sends an email of newly banned hosts and suspicious logins.
- Resolves IP addresses to hostnames, if you want

WWW:    http://denyhosts.sourceforge.net/

        -------

BruteForceBlocker is a perl script, that works along with pf - OpenBSD's
firewall (Which is also available on FreeBSD since version 5.2 is out).
It's main purpose is to block SSH bruteforce attacks via firewall.
When this script is running, it checks sshd logs from syslog and looks
for Failed Login attempts - mostly some annoying script attacks, and
counts number of such attempts. When given IP reaches configured limit
of fails, script puts this IP to the pf's table and blocks any further
traffic to the that box from given IP (This also depends on
configuration done in pf.conf).

WWW: http://danger.rulez.sk/projects/bruteforceblocker/

Regards,
--
-Chuck

Follow-Ups:
- Re: ssh scans
  - From: Carl Brewer

References:
- ssh scans
  - From: David Wetzel

Prev by Date: Re: ssh scans
Next by Date: Re: ssh scans
Previous by Thread: Re: ssh scans
Next by Thread: Re: ssh scans
Indexes:

Home | Main Index | Thread Index | Old Index