[KLUG Members] auto-nullrouting
Jamie McCarthy
jamie at mccarthy.vg
Wed Nov 23 09:49:44 EST 2005
Hi,
It's a fact of life that any machine exposed to the internet gets
brute-force password attacks happening pretty much constantly. The
attacks try different passwords against common usernames over and
over. What shows up in the syslog for my Debian machine is this:
Nov 22 18:14:28 localhost sshd[17004]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=200.93.221.165
Nov 22 18:14:30 localhost sshd[17004]: Failed password for invalid user db from 200.93.221.165 port 40865 ssh2
Nov 22 18:14:31 localhost sshd[17007]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=200.93.221.165
Nov 22 18:14:33 localhost sshd[17007]: Failed password for invalid user anita from 200.93.221.165 port 41264 ssh2
Nov 22 18:14:35 localhost sshd[17010]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=200.93.221.165
Nov 22 18:14:37 localhost sshd[17010]: Failed password for invalid user test from 200.93.221.165 port 41637 ssh2
Nov 22 18:14:40 localhost sshd[17013]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=200.93.221.165
Nov 22 18:14:42 localhost sshd[17013]: Failed password for invalid user bind from 200.93.221.165 port 42095 ssh2
I always use very strong passwords, but I have a few users on this
machine who might not, so I'd like to automatically detect this
kind of attack and reject all traffic from and to that IP number
for a few hours. It doesn't have to respond instantaneously or
anything: within a few minutes is fine.
(a) Anyone know of a Debian package that does this?
(b) If not, does anyone have a favorite way to build this behavior
using standard tools? I could pretty easily write a script to tail
the log and permanently ban such IPs, but for the sake of a clean
routing table I'd rather the IPs get unbanned after a few hours,
which is a somewhat more difficult project.
--
Jamie McCarthy
http://mccarthy.vg/
jamie at mccarthy.vg
More information about the Members
mailing list