Re: [gentoo-user] SSH brute force attacks and blacklist.py

[Justin <justin@j-schmitz.net>]

Steve schrieb:
> I can't believe that I'm the only person with this, so it's probably 
> worth asking.
>
> I'm one of the (many) people who has opportunists trying usernames and 
> passwords against SSH... while every effort has been made to secure 
> this service by configuration; strong passwords; no root login 
> remotely etc.  I would still prefer to block sites using obvious 
> dictionary attacks against me.
>
> I used to use DenyHosts - but that became annoying as it used rather a 
> lot of resources (and relied upon tcp wrappers... which, I'm informed 
> are somewhat old-fashioned)
>
> I migrated to try using iptables as my firewall and using blacklist.py 
> - which I got working after some minor config-tweaking.  I'm aware 
> that there is configuration in the blacklist.py script for 
> BLOCKING_PERIOD - but what I really miss the "blocked forever" nature 
> of the DenyHosts alternative.... though I prefer every other aspect of 
> the iptables/blacklist.py approach.
>
> Has anyone else resolved this?  As far as I'm concerned, once I detect 
> someone has attempted a brute force (which blaclist.py does 
> fantastically well) what I want is for no further communication to be 
> accepted from the IP address - even after I reboot etc.  While I don't 
> know which sites I want to be accessible from in advance, I can be 
> sure none of them would launch a brute force attack against me. :-)
>
> Recommendations?
>
> I'm looking for the neatest Gentoo way to do this... rather than 
> recommendations for how to write something to do what I want from 
> scratch...
>
> Steve
>

Try fail2ban. I started as newby on iptables and I still am, because it 
is very easy to configure and does it job perfect.

http://gentoo-wiki.com/HOWTO_fail2ban
http://www.fail2ban.org/wiki/index.php/Main_Page
-- 
gentoo-user@lists.gentoo.org mailing list