[H-GEN] iptables autoblocking
Christopher LeMoyne (Reply-To Humbug)
christopher_lemoyne at yahoo.com.au
Wed Jul 20 03:39:02 EDT 2005
James Mills wrote:
>[ Humbug *General* list - semi-serious discussions about Humbug and ]
>[ Unix-related topics. Posts from non-subscribed addresses will vanish. ]
>
>On Wed, Jul 20, 2005 at 12:10:36AM -0700, Anthony Irwin wrote:
>
>
>>[ Humbug *General* list - semi-serious discussions about Humbug and ]
>>[ Unix-related topics. Posts from non-subscribed addresses will vanish. ]
>>
>>Hi everyone,
>>
>>I have been looking through my logs and noticed that
>>over the last month I have had a large number of
>>different ip addresses trying to login to my system
>>via ssh with generated user names.
>>
>>I was wondering if there is a way I could easily write
>>a script that automatically added invalid user login
>>attempts via ssh to be blocked in iptables and added
>>to a block list.
>>
>>below is a sample of my /var/log/auth.log file.
>>
>>Jul 20 10:30:41 localhost sshd[31205]: Illegal user
>>test from 210.53.138.21
>>Jul 20 10:30:44 localhost sshd[31207]: Illegal user
>>test from 210.53.138.21
>>Jul 20 10:30:47 localhost sshd[31209]: Illegal user
>>guest from 210.53.138.21
>>Jul 20 10:30:50 localhost sshd[31211]: Illegal user
>>guest from 210.53.138.21
>>Jul 20 10:31:00 localhost sshd[31217]: Illegal user
>>daniel from 210.53.138.21
>>Jul 20 10:31:06 localhost sshd[31221]: Illegal user
>>admin from 210.53.138.21
>>Jul 20 10:31:10 localhost sshd[31223]: Illegal user
>>admin from 210.53.138.21
>>
>>I would really like to be able to automatically block
>>such attacks. I have thought about limiting ssh to
>>certain ip addresses but would prefer to leave it open
>>so I can login from anywhere.
>>
>>Any suggestions would be apreciated.
>>
>>
>
>My own systems under-go such attacks as well. A couple of months ago one
>of my boxes were attacked in this way with ~20,000 login attempts. I
>would be interested in what others have to say first before I
>contribute... I have as yet _not_ implemented any solution.
>
>cheers
>James
>
>
>
An interesting discussion relating to this on the OpenBSD Journal:
http://undeadly.org/cgi?action=article&sid=20041231195454
Seems there are a variety of methods for dealing with this, based on
personal preference.
Regards,
Christopher
More information about the General
mailing list