Is there a way to do the following?
I keep getting brute force attacked on my ssh every night by one or two IP addresses,
I think I have my sshd_config locked down.
What I would like is if an ip address tries to do 3 or N unsuccessful attempts to log in that ip address is cut off and ignored, from then on.
This would stop most brute force scans
Is there a way to do this?
U¿ytkownik Brenda napisa³:
Not exactly what you want, but maybe help you. iptables -I INPUT -p tcp --dport 22 -i ppp0 -m state --state NEW -m recent --set iptables -I INPUT -p tcp --dport 22 -i ppp0 -m state --state NEW -m recent --update --seconds 300 --hitcount 3 -j DROP
[y4kk0@X ~]$ yum info pam_abl denyhosts Setting up repositories Reading repository metadata in from local files Available Packages Name : denyhosts Arch : noarch Version: 1.1.4 Release: 2.fc4 Size : 68 k Repo : extras Summary: A script to help thwart ssh server attacks Description: DenyHosts is a Python script that analyzes the sshd server log messages to determine which hosts are attempting to hack into your system. It also determines what user accounts are being targeted. It keeps track of the frequency of attempts from each host and, upon discovering a repeated attack host, updates the /etc/hosts.deny file to prevent future break-in attempts from that host. Email reports can be sent to a system admin.
Name : pam_abl Arch : i386 Version: 0.2.2 Release: 2.fc4 Size : 23 k Repo : extras Summary: A Pluggable Authentication Module (PAM) for auto blacklisting Description: Provides auto blacklisting of hosts and users responsible for repeated failed authentication attempts. Generally configured so that blacklisted users still see normal login prompts but are guaranteed to fail to authenticate. A command line tool allows to query or purge the databases used by the pam_abl module.
[y4kk0@X ~]$Please search fedora-extrsa-list for more information (there was some time ago discussion about these two programs).
I would also suggest changing default sshd port to something else.
This is exactly what I want. I installed it via yum but how do I add it into the /etc/pam.d/ config files? we are using fedora core 4
bren
Your talking about pam_abl? You may want to take a look at /usr/share/doc/pam_abl-0.2.2/README.Fedora file and this example ->
/usr/share/doc/pam_abl-0.2.2/conf/system-auth
Putting
auth required /lib/security/$ISA/pam_abl.so config=/etc/security/pam_abl.conf
after
auth required /lib/security/$ISA/pam_env.so
should activate pam_abl.
BTW Would you be willing to not top-post? Thanks.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.