From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1RKiyV-0005Cp-BS for garchives@archives.gentoo.org; Mon, 31 Oct 2011 03:55:52 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 1EFF121C035 for ; Mon, 31 Oct 2011 03:55:51 +0000 (UTC) Received: from qproxy.gmail.com (qproxy.gmail.com [72.14.204.205]) by robin.gentoo.org (8.13.5/8.13.5) with ESMTP id j938L2Qo007735 for ; Mon, 3 Oct 2005 08:21:03 GMT Received: by qproxy.gmail.com with SMTP id d9so556142qbd for ; Mon, 03 Oct 2005 01:29:05 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:references; b=GMtAfmTva6PBdGKDghkFvLusntwd2WKefiondC/7n7tKOH9G07eeTARxUG+Ryz/IQAW2ru/7tL/J2oW7RZVJW3J0yiEqwCSyLDxZ+i3xtFkvmFtyOOhw8jmYpcmKpxSDg3JzTpWTjqUNAKE3Bx0KGdYC/evQV32qe3ilZyXmu5Q= Received: by 10.65.107.9 with SMTP id j9mr2426423qbm; Mon, 03 Oct 2005 01:29:05 -0700 (PDT) Received: by 10.65.148.11 with HTTP; Mon, 3 Oct 2005 01:29:05 -0700 (PDT) Message-ID: <87f1fb0a0510030129o41595461ta649c30a20d39eb9@mail.gmail.com> Date: Mon, 3 Oct 2005 04:29:05 -0400 From: Jerry Eastmanhouser To: gentoo-security@lists.gentoo.org Subject: Re: [gentoo-security] [OT?] automatically firewalling off IPs In-Reply-To: <4340E36E.6020801@garault.org> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-security@gentoo.org Reply-to: gentoo-security@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_2940_4058283.1128328145684" References: <43404CB8.3@lunatic.net.nz> <4340E36E.6020801@garault.org> X-Archives-Salt: c1b32a07-62d2-4c89-ad26-126f989ea6e6 X-Archives-Hash: 0fd2dc8c18fe5f35a945d14574d0a995 ------=_Part_2940_4058283.1128328145684 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline I've been getting hit with similar brute force attacks...usually from Korea or China......anyway like the several options listed above I think the less fancy you secure you= r box the better.... really if you want to be able to log in from any number of remote clients like me the best thing to do is simply change your sshd port. I did that and it solved the problem rather quickly with little disruption to myself....I don't want to have a key with me...to log in with when I travel. An option that I considered that nobody mentioned yet is leaving port 22 closed completely and then use port knocking to open up the port for 20 seconds or so on your IP (however long you need to log onto the system). The port opens long enough for you to establish a connection and then closes automatically to any new connections, but still allows established traffic through. Clever idea and pretty simple to impliment...just google for it...I think there is a gentoo wiki howto on it as well. Adios. On 10/3/05, Christophe Garault wrote: > > Jeremy Brake a =E9crit : > > >Hey all, > > > >I'm looking for an app/script which can monitor for failed ssh logins, > >and block using IPTables for $time after $number of failed logins (an > >exclusion list would be handy as well) so that I can put a quick stop to > >these niggly brute-force ssh "attacks" I seem to be getting more and > >more often. > > > >Anyone have any ideas? > > > > > Yep: emerge fail2ban (http://sourceforge.net/projects/fail2ban). > It's an excellent script written in python that can monitor all > unsuccessfull logins (ssh, apache) > There's a fail2ban.conf file where you can define many options to > protect you from a Dos. > > >Thanks, Jeremy B > > > > > Have a nice day. > > -- > Christophe Garault > -- > gentoo-security@gentoo.org mailing list > > ------=_Part_2940_4058283.1128328145684 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline I've been getting hit with similar brute force attacks...usually from Korea= or China......anyway
like the several options listed above I think the = less fancy you secure your box the better....
really if you want to be a= ble to log in from any number of remote clients like me the best thing
to do is simply change your sshd port.  I did that and it solved t= he problem rather quickly with
little disruption to myself....I don't wa= nt to have a key with me...to log in with when I travel.
An option that = I considered that nobody mentioned yet is leaving port 22 closed completely
and then use port knocking to open up the port for 20 seconds or so on = your IP (however long
you need to log onto the system).  The port o= pens long enough for you to establish a connection
and then closes autom= atically to any new connections, but still allows established traffic throu= gh.
Clever idea and pretty simple to impliment...just google for it...I thi= nk there is a gentoo wiki howto
on it as well.

Adios.

On 10/3/05, Chri= stophe Garault <christophe@garault.org> wrote:
Jeremy Brake a =E9crit :

>Hey all,
>
>I'm looking for= an app/script which can monitor for failed ssh logins,
>and block us= ing IPTables for $time after $number of failed logins (an
>exclusion = list would be handy as well) so that I can put a quick stop to
>these niggly brute-force ssh "attacks" I seem to be getti= ng more and
>more often.
>
>Anyone have any ideas?
>= ;
>
Yep: emerge fail2ban ( http://sourceforge.net/projects/fail2ban).
It's an excellent script = written in python that can monitor all
unsuccessfull logins (ssh, apache= )
There's a fail2ban.conf file where you can define many options to
protect you from a Dos.

>Thanks, Jeremy B
>
>
Have= a nice day.

--
Christophe Garault
--
gentoo-security@gentoo.org mailing list

------=_Part_2940_4058283.1128328145684-- -- gentoo-security@gentoo.org mailing list