SSH Scans Lockout
What I'm looking to do is add any host that has 3 login attempts to hosts.deny and cut down on that logs that are created. Apparantly this is easy to do with Free BSD though I've never heard of it being done on Linux (Debian incidentally).
Anybody have any suggestions?
14 Replies
I don't offhand know of any other ways, unless you look into some sort of IDS program. I've never fiddled with them myself so I don't know how you would get them working on Linux either.
Hope this helps.
Instead I log in throught the host-server (i.e.hostXX.linode.com) and use the actual console.
banner
@Ciaran:
The easiest way is probably to have a script that tails the logs and adds to the hosts.deny itself.
Or instead of adding the ip to hosts.deny (which clues the user in that he's been denied and just causes him to continue his mischief from a different host), go ahead and give him a root shell. Not a real one, just make it look real enough to waste his time. When he realizes there's nothing worth looking at and that the system is broken enough that it's not worth the time to break in ("why do ps and top always segfault?"), he'll go away and bother someone else.
@cout:
@Ciaran:The easiest way is probably to have a script that tails the logs and adds to the hosts.deny itself.
Or instead of adding the ip to hosts.deny (which clues the user in that he's been denied and just causes him to continue his mischief from a different host), go ahead and give him a root shell. Not a real one, just make it look real enough to waste his time. When he realizes there's nothing worth looking at and that the system is broken enough that it's not worth the time to break in ("why do ps and top always segfault?"), he'll go away and bother someone else.
This sounds like it has the potential to tick a hacker off, which may make him try to "get even". He'll see a challenge and continue to dig. hosts.deny sounds like the better option between the two, as all its doing is denying access (sorta similar to a firewall). If he sees that he's being denied and tries to use another IP, that one will be blocked also, after 3 tries.
I wonder if Chris is a whitehat or a blackhat?
port knocking sequence
@cederberg:
An alternative is to simply block the SSH port in the firewall and only open it for users who know the secret
(who then proceed to login as normal). That way it will look like you don't even run an SSH server on the box. port knocking sequence
OOOO….
I'm gonna check that one out!
Protocol major versions differ for ::ffff:211.184.84.128: SSH-1.5-OpenSSH_3.5p1 vs. SSH-2.0-libssh-0.1
BTW, the only difference is the IP address…. the 'SSH-2.0-libssh-0.1' is always there.
Hal Williams