[CentOS] Re: Ideas for stopping ssh brute force attacks

Wed Jul 23 06:06:03 UTC 2008
Scott Mazur <centos at littlefish.ca>

On Wed, 23 Jul 2008 10:10:14 +1000, Les Bell wrote
> Scott Silva <ssilva at sgvwater.com> wrote:
> 
> >>
> Portsentry is still available on sourceforge I believe.
> <<
> 
> Good call - http://sourceforge.net/projects/sentrytools/ shows they were
> uploaded back in 2003 and it looks like nothing has happened since then.
> There must be more modern equivalents, surely?

I wrote a Perl daemon that I use to tail service log files.  Initially it was
a Postfix log scanner that looked for unknown address attempts, relay
attempts, and honey pot email addresses that I embedded in my web pages.  When
any of these hits turned up in the mail log, the senders IP was added to the
iptables rules.  My goal was to cut down on spam.  It helped some, but not
enough to call it a complete success.  But it's very modular.

I started having some problems with brute force ftp attacks.  Very annoying,
kept filling up the log files (and my log partition) with chaff.  So I wrote
another module for my daemon to scan the ftp logs as well and firewall any ip
that failed to log in after 10 tries (a 3 hour time out).  This was very
successful and now ftp crack attacks are a thing of the past.

I've never had ssh problems.  My ssh port rules limited it to a few known IP
addresses that I may need remote access from.  But my Perl daemon could be
easily expanded with another module to scan for ssh attacks.  Provided you've
got some Perl experience and time to hack (I'm hog tied for the next while).

Scott

-- 
Registered Linux user #395249, http://counter.li.org
Nothing goes to waste when Little Fish are near!
(http://www.littlefish.ca)