Re: SSH Brute force attacks

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Taylor, Grant" <gtaylor@riverviewtech.net>
To: netfilter@lists.netfilter.org
Subject: Re: SSH Brute force attacks
Date: Mon, 13 Jun 2005 09:39:26 -0500	[thread overview]
Message-ID: <42AD9A9E.7070603@riverviewtech.net> (raw)
In-Reply-To: <1117739926.10257.22.camel@debianbox>

Sadus . wrote:
> Portsentry listens to a set of ports you set. when someone nmaps your
> machine or do some kind of scanning on certain ports, portsentry blocks
> that IP via the method you prefer (ipchain, iptables...) and it can echo
> the IP to /etc/hosts.deny thus droping all connections with the
> attacker. I want to expand the SSH Brute force script to enable this
> feature.
> It is not important to know if an IP is already in the /etc/hosts.deny
> list because since the IP is droped and denied from accessing, the IP
> won't reach the brute force script, so normaly you won't have repetition
> of IPs.

I'm working on a re-write of the SSH_Brute_Force chain on my home firewall.  This rewrite will be VERY different and should be the foundation for much growth and adaptation in to other things as well.  The basic idea behind it is to use a multi level triggering system.  Restated in english if you trigger the first level you are banned for a specific amount of time.  If you trip the first level and are banned for the specified amount of chem and then re trip the first level you are then banned at the second level and banned for a longer time.  At present my levels are as follows, 1 minute, 1 hour, 1 day, 1 week, 1 month, 1 year and then permanent ban.  I'm also adding IPs to a recent list that can be checked by other chains early on in the chain set out side of the SSH_Brute_Force chain.  Needless to say it's very complex and I'm doing some testing to make sure that it works the way that 
 I want it to.  Once I get it working I'll either post it to this thread or start a new one
 with an appropriate subject.  I'm trying to include some functionality or the capability of the functionality of Portsentry as you have requested.

I'm not sure if /etc/hosts.deny will prevent packets from entering IPTables or not as I thought that the file was read by user space daemons as a list of IPs to never talk to, not necissarly to the IP table to deny access to.  I could be wrong on this though.

Grant. . . .

next prev parent reply	other threads:[~2005-06-13 14:39 UTC|newest]

Thread overview: 82+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-05-06 15:57 SSH Brute force attacks Brent Clark
2005-05-06 16:40 ` Mogens Valentin
2005-05-06 19:29 ` R. DuFresne
2005-05-07  5:14 ` Taylor, Grant
2005-05-10 14:01   ` Eric Wood
2005-05-11 12:35   ` Brent Clark
2005-05-11 18:21     ` Taylor, Grant
2005-05-11 19:04       ` Pete Toscano
2005-05-11 19:15         ` Taylor, Grant
2005-05-11 19:30           ` Pete Toscano
2005-05-11 20:34             ` Jason Opperisano
2005-05-13 21:31               ` okay, I admit confusion here; R. DuFresne
2005-05-13 21:55                 ` Jason Opperisano
2005-05-16 17:40                   ` R. DuFresne
2005-05-16 20:55                     ` Taylor, Grant
2005-05-16 21:05                 ` Taylor, Grant
2005-05-14  7:02               ` SSH Brute force attacks Georgi Alexandrov
2005-05-14 15:47                 ` Jason Opperisano
2005-05-15 20:12                 ` Patrick Nelson
2005-05-17  0:49                   ` Charlie Brady
2005-05-14  9:08       ` Łukasz Hejnak
2005-05-14 19:08         ` Taylor, Grant
2005-05-16  8:16           ` Łukasz Hejnak
2005-05-17  1:05             ` Charlie Brady
2005-05-17  5:00               ` Łukasz Hejnak
2005-05-17  5:19                 ` Łukasz Hejnak
     [not found]                   ` <42898402.10507@eccotours.dyndns.org>
2005-05-17 12:44                     ` Łukasz Hejnak
2005-05-17 13:20                       ` Brent Clark
2005-05-17 13:36                         ` Sadus .
2005-05-17 16:06                           ` Łukasz Hejnak
2005-05-17 15:21                         ` Taylor, Grant
2005-05-18 12:39                       ` Brent Clark
2005-05-19  4:55                         ` Taylor, Grant
2005-05-19  9:05                           ` Brent Clark
2005-05-19 14:39                             ` Taylor, Grant
2005-05-20 13:01                               ` Brent Clark
2005-05-20 14:53                                 ` Taylor, Grant
2005-05-23 16:31                                   ` Brent Clark
2005-06-02 16:13                                     ` Sadus .
2005-06-02 16:43                                       ` Taylor, Grant
2005-06-02 19:18                                         ` Sadus .
2005-06-13 14:39                                           ` Taylor, Grant [this message]
2005-06-13 16:17                                             ` Patrick Nelson
2005-06-13 16:27                                             ` /dev/rob0
2005-06-13 19:00                                             ` R. DuFresne
2005-05-18 16:54                       ` Jim Miller
2005-05-18 17:51                         ` Łukasz Hejnak
2005-05-19  2:09                         ` Taylor, Grant
2005-05-21  8:00                       ` Пётр Волков Александрович
2005-05-21 22:37                         ` Taylor, Grant
2005-05-22  7:11                           ` Пётр Волков Александрович
2005-05-22 10:09                           ` Marius Mertens
2005-05-22 10:57                             ` Łukasz Hejnak
2005-05-23 16:14                               ` Taylor, Grant
2005-05-17  6:55               ` Taylor, Grant
     [not found]                 ` <1116333615.24331.4.camel@debianbox>
2005-05-17 15:25                   ` Taylor, Grant
2005-05-23 16:53               ` Taylor, Grant
2005-05-24 16:19                 ` Marius Mertens
2005-05-25  5:35                 ` Brent Clark
2005-05-25  8:48                   ` Marius Mertens
2005-05-25 18:10                   ` Taylor, Grant
2005-05-26 11:17                     ` Brent Clark
2005-05-31  4:12                       ` Taylor, Grant
2005-05-31 10:06                         ` Brent Clark
2005-05-31 14:17                           ` Taylor, Grant
2005-05-28 23:24                 ` Sebastian Siewior
2005-05-29  1:01                   ` Taylor, Grant
2005-05-07  5:32 ` Taylor, Grant
2005-05-08 15:20   ` Alistair Tonner
2005-05-08 18:51     ` Dwayne Hottinger
2005-05-08 22:57       ` Alexander Samad
2005-05-09  5:41         ` Taylor, Grant
2005-05-09  5:46     ` Taylor, Grant
2005-06-02 18:26 ` SSH Brute force attacks - Script version 1.0 Taylor, Grant
2005-07-25 19:41   ` Steven M Campbell
2005-07-26  6:18     ` Jan Engelhardt
  -- strict thread matches above, loose matches on Subject: below --
2005-05-06 22:03 SSH Brute force attacks Gary W. Smith
2005-05-11 13:20 Alireza Yazdani
2005-05-11 19:49 zeus
2005-05-19 14:48 info
2005-05-19 15:01 ` Andrew Schulman
2005-05-19 15:31 info

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=42AD9A9E.7070603@riverviewtech.net \
    --to=gtaylor@riverviewtech.net \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.