From: "Sadus ." <sadus@swiftbin.net>
To: "Taylor, Grant" <gtaylor@riverviewtech.net>
Cc: netfilter@lists.netfilter.org
Subject: Re: SSH Brute force attacks
Date: Thu, 02 Jun 2005 22:18:46 +0300 [thread overview]
Message-ID: <1117739926.10257.22.camel@debianbox> (raw)
In-Reply-To: <429F3740.8070105@riverviewtech.net>
Portsentry listens to a set of ports you set. when someone nmaps your
machine or do some kind of scanning on certain ports, portsentry blocks
that IP via the method you prefer (ipchain, iptables...) and it can echo
the IP to /etc/hosts.deny thus droping all connections with the
attacker. I want to expand the SSH Brute force script to enable this
feature.
It is not important to know if an IP is already in the /etc/hosts.deny
list because since the IP is droped and denied from accessing, the IP
won't reach the brute force script, so normaly you won't have repetition
of IPs.
On Thu, 2005-06-02 at 11:43 -0500, Taylor, Grant wrote:
> Sadus . wrote:
> > Is there a way to parse the attacker's IP and block it permanantly via:
> > iptables -A INPUT -s $IP -j DROP
> > and cat > /etc/hosts.deny ?
>
> The closest thing that I can think of at the moment would be to LOG the packet with a custom "--log-prefix" that is being watched for by a user space daemon and have this daemon add the IP in question to an ipset set list and /etc/hosts.deny. To take advantage of the ipset set list you would have to use the set match extension to see if the IP was in the set list or not and take action based on that. If you would like I could ponder this for a while and get back to you on how I would go about doing this.
>
> > something close to what portsentry does, but using that SSH iptables
> > Brute force script.
>
> I'm not familiar with port sentry, can you tell me more about it or give me a URL to look at? I'll Google for it and take a look when I have some more time to spare to see if I can better answer your question(s).
>
> > This thread went big and confusion reigned on the latest version of the
> > Brute Force script, kindly post the latest/best iptable rules :)
>
> I will repost the script as it is presently in a new reply to the original message so that it is at the bottom of the thread. I'll also include a version number in the subject line to make this easier to look at in the future. For now you can see the most current version of the script in this message available here https://lists.netfilter.org/pipermail/netfilter/2005-May/060734.html . I'll post a friarly lengthy email with the basic script in a couple of different forms and the various pros and cons to each form. For now the main difference is that I'm not jumping to the SSH_Brute_Force chain the way that is posted in the list for various reasons I'll explain in the forthcoming email.
>
> > thanks
>
> No problem.
>
>
>
> Grant. . . .
>
--
Sadus . <sadus@swiftbin.net>
Swiftbin.net
next prev parent reply other threads:[~2005-06-02 19:18 UTC|newest]
Thread overview: 82+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-05-06 15:57 SSH Brute force attacks Brent Clark
2005-05-06 16:40 ` Mogens Valentin
2005-05-06 19:29 ` R. DuFresne
2005-05-07 5:14 ` Taylor, Grant
2005-05-10 14:01 ` Eric Wood
2005-05-11 12:35 ` Brent Clark
2005-05-11 18:21 ` Taylor, Grant
2005-05-11 19:04 ` Pete Toscano
2005-05-11 19:15 ` Taylor, Grant
2005-05-11 19:30 ` Pete Toscano
2005-05-11 20:34 ` Jason Opperisano
2005-05-13 21:31 ` okay, I admit confusion here; R. DuFresne
2005-05-13 21:55 ` Jason Opperisano
2005-05-16 17:40 ` R. DuFresne
2005-05-16 20:55 ` Taylor, Grant
2005-05-16 21:05 ` Taylor, Grant
2005-05-14 7:02 ` SSH Brute force attacks Georgi Alexandrov
2005-05-14 15:47 ` Jason Opperisano
2005-05-15 20:12 ` Patrick Nelson
2005-05-17 0:49 ` Charlie Brady
2005-05-14 9:08 ` Łukasz Hejnak
2005-05-14 19:08 ` Taylor, Grant
2005-05-16 8:16 ` Łukasz Hejnak
2005-05-17 1:05 ` Charlie Brady
2005-05-17 5:00 ` Łukasz Hejnak
2005-05-17 5:19 ` Łukasz Hejnak
[not found] ` <42898402.10507@eccotours.dyndns.org>
2005-05-17 12:44 ` Łukasz Hejnak
2005-05-17 13:20 ` Brent Clark
2005-05-17 13:36 ` Sadus .
2005-05-17 16:06 ` Łukasz Hejnak
2005-05-17 15:21 ` Taylor, Grant
2005-05-18 12:39 ` Brent Clark
2005-05-19 4:55 ` Taylor, Grant
2005-05-19 9:05 ` Brent Clark
2005-05-19 14:39 ` Taylor, Grant
2005-05-20 13:01 ` Brent Clark
2005-05-20 14:53 ` Taylor, Grant
2005-05-23 16:31 ` Brent Clark
2005-06-02 16:13 ` Sadus .
2005-06-02 16:43 ` Taylor, Grant
2005-06-02 19:18 ` Sadus . [this message]
2005-06-13 14:39 ` Taylor, Grant
2005-06-13 16:17 ` Patrick Nelson
2005-06-13 16:27 ` /dev/rob0
2005-06-13 19:00 ` R. DuFresne
2005-05-18 16:54 ` Jim Miller
2005-05-18 17:51 ` Łukasz Hejnak
2005-05-19 2:09 ` Taylor, Grant
2005-05-21 8:00 ` Пётр Волков Александрович
2005-05-21 22:37 ` Taylor, Grant
2005-05-22 7:11 ` Пётр Волков Александрович
2005-05-22 10:09 ` Marius Mertens
2005-05-22 10:57 ` Łukasz Hejnak
2005-05-23 16:14 ` Taylor, Grant
2005-05-17 6:55 ` Taylor, Grant
[not found] ` <1116333615.24331.4.camel@debianbox>
2005-05-17 15:25 ` Taylor, Grant
2005-05-23 16:53 ` Taylor, Grant
2005-05-24 16:19 ` Marius Mertens
2005-05-25 5:35 ` Brent Clark
2005-05-25 8:48 ` Marius Mertens
2005-05-25 18:10 ` Taylor, Grant
2005-05-26 11:17 ` Brent Clark
2005-05-31 4:12 ` Taylor, Grant
2005-05-31 10:06 ` Brent Clark
2005-05-31 14:17 ` Taylor, Grant
2005-05-28 23:24 ` Sebastian Siewior
2005-05-29 1:01 ` Taylor, Grant
2005-05-07 5:32 ` Taylor, Grant
2005-05-08 15:20 ` Alistair Tonner
2005-05-08 18:51 ` Dwayne Hottinger
2005-05-08 22:57 ` Alexander Samad
2005-05-09 5:41 ` Taylor, Grant
2005-05-09 5:46 ` Taylor, Grant
2005-06-02 18:26 ` SSH Brute force attacks - Script version 1.0 Taylor, Grant
2005-07-25 19:41 ` Steven M Campbell
2005-07-26 6:18 ` Jan Engelhardt
-- strict thread matches above, loose matches on Subject: below --
2005-05-06 22:03 SSH Brute force attacks Gary W. Smith
2005-05-11 13:20 Alireza Yazdani
2005-05-11 19:49 zeus
2005-05-19 14:48 info
2005-05-19 15:01 ` Andrew Schulman
2005-05-19 15:31 info
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1117739926.10257.22.camel@debianbox \
--to=sadus@swiftbin.net \
--cc=gtaylor@riverviewtech.net \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.