ssh brute force attacks 3202

On Sun, 20 Mar 2005 16:39:14 +0000, Menno Duursma

Thanks for the extra info; I'll review it more and see if it would help what I'm already doing...

I did however know to use the the hosts.deny & hosts.allow files. I already use them with my own homegrown perl script which is designed to detect-stop SSH attacks. It does much the same thing as your noted timelox function. On major difference is that my script runs several ways from the cron (including a fast, run once per minute scanner). Since it's a perl script, it does the work independently of ssh itself; applying updates to the hosts.deny file and iptables to stop the attacks.

My script's scanning engine also goes a bit further then timelox. It reports the attacks in a separate log (for later graphing-report analysis), notifies me via email, includes various info about the IPs used & what they were trying. It also does the scan by username & IP address separately; to see if the attack originates from a single IP or is multi-IP based &-or is against a specific username. This helps detect-stop attacks when the intended target is a specific useraname or is a general brute force random name attack; regardless of weather the attack is from a single IP or multiple IPs.

Also the logs and emails it generates contain all sorts of info on the attacker's IP. This includes the country of origin of the offending IPs, number of attempts, username(s) attempted flagging usernames or IPs, that originating from the ISP as my servers &-or those which target known usernames on my servers, as well as all sorts of reverse lookups & trace routes results.

The idea behind my custom script was to go beyond the normal detect the attack & take some temporary measure to stop it. There is anough of them out there; even using the most basic things noted in my last post. However my intention is to collect-report as much useful info as possible, protect my system automatically via simple maintainable means, and make it easier to ascertain what each specific attack was trying to accomplish (attack an existing username in my systems or if it was just a general brute force attack).

My homegrown script, mixed with several of the things noted in my previous post (and a few not posted for security reasons), makes my systems rock solid against the majority of SSH attacks. It may also helps slow down & in many cases helped stop large scale SSH attacks. Older versions of this script worked out well in the past against a few larger attacks and newer versions should work even betters, since they are optimized to run even faster, and do a better overall job scanning-protecting the systems they are running on.

I would say if your systems are pretty secure already, why not homegrow your own security tools to help further enhance your server's security & tracking abilities. Hey it can't hurt... :-)

James T.