From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1JUQR7-0004tB-DA for garchives@archives.gentoo.org; Wed, 27 Feb 2008 17:51:21 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id DCDDDE0740; Wed, 27 Feb 2008 17:51:19 +0000 (UTC) Received: from smtp.hotchilli.net (mta3.th.hotchilli.net [62.89.140.53]) by pigeon.gentoo.org (Postfix) with ESMTP id B5CEEE0740 for ; Wed, 27 Feb 2008 17:51:19 +0000 (UTC) Received: from [87.243.200.80] (helo=[10.0.1.253]) by smtp.hotchilli.net with esmtp (Exim 4.63) (envelope-from ) id 1JUQR4-0006XK-SO for gentoo-user@lists.gentoo.org; Wed, 27 Feb 2008 17:51:18 +0000 Message-ID: <47C5A316.8010303@shic.co.uk> Date: Wed, 27 Feb 2008 17:51:18 +0000 From: Steve User-Agent: Thunderbird 2.0.0.9 (Windows/20071031) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: [gentoo-user] SSH brute force attacks and blacklist.py Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Archives-Salt: 644b473e-75a5-4ea1-81c4-b1744e607822 X-Archives-Hash: f2566794c11e31770a9b969f47295e1f I can't believe that I'm the only person with this, so it's probably worth asking. I'm one of the (many) people who has opportunists trying usernames and passwords against SSH... while every effort has been made to secure this service by configuration; strong passwords; no root login remotely etc. I would still prefer to block sites using obvious dictionary attacks against me. I used to use DenyHosts - but that became annoying as it used rather a lot of resources (and relied upon tcp wrappers... which, I'm informed are somewhat old-fashioned) I migrated to try using iptables as my firewall and using blacklist.py - which I got working after some minor config-tweaking. I'm aware that there is configuration in the blacklist.py script for BLOCKING_PERIOD - but what I really miss the "blocked forever" nature of the DenyHosts alternative.... though I prefer every other aspect of the iptables/blacklist.py approach. Has anyone else resolved this? As far as I'm concerned, once I detect someone has attempted a brute force (which blaclist.py does fantastically well) what I want is for no further communication to be accepted from the IP address - even after I reboot etc. While I don't know which sites I want to be accessible from in advance, I can be sure none of them would launch a brute force attack against me. :-) Recommendations? I'm looking for the neatest Gentoo way to do this... rather than recommendations for how to write something to do what I want from scratch... Steve -- gentoo-user@lists.gentoo.org mailing list