[H-GEN] Blocking SSH exploits

Greg Black gjb at gbch.net
Sun Aug 22 20:06:43 EDT 2004


On 2004-08-22, Sarah Walters wrote:

> In the daily security report generated by our FreeBSD box, we've been 
> getting a lot of messages like the following lately:
> 
> tempus.walters.id.au login failures:
> Aug 21 09:07:25 tempus sshd[14677]: Failed password for root from 
> 219.238.239.178 port 39247 ssh2

I've been seeing these regularly since 25 July.

> By the way, we are thinking that it would be nice to be able to block 
> IPs that make any such attempts automatically, probably for about 10 
> minutes. Does anyone know how to do this, and would it be worthwhile trying?

It would be a SMOP to watch the logs, grab IPs, and add rules to
ipfw to block and log them.  If you then had a cron job to sweep
your logs at some interval to watch for further incidents, you
could delete the rules if you thought they had gone away.  I
don't do this, so I haven't got the script to offer; but it will
be easy to do if you want to go that way.

In my case, I only allow ssh from outside to one account and I
am the only person who knows what combination of password and
key works with it.  And I keep my ssh daemons up to date.

Cheers, Greg




More information about the General mailing list