NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: ssh scans



On Oct 26, 2009, at 12:42 PM, David Wetzel wrote:
I am seeing a lot of ssh scans and I am wondering if somebody has a solution like adding the bad hosts temporary to pf.conf or so?

Consider denyhosts & bruteforceblocker:

DenyHosts is a script intended to be run by *ix system administrators to
help thwart ssh server attacks.

If you've ever looked at your ssh log (/var/log/auth.log ) you may be alarmed
to see how many hackers attempted to gain access to your server.
Denyhosts helps you:
- Parses /var/log/auth.log to find all login attempts
- Can be run from the command line, cron or as a daemon (new in 0.9)
- Records all failed login attempts for the user and offending host
- For each host that exceeds a threshold count, records the evil host
- Keeps track of each non-existent user (eg. sdada) when a login attempt failed. - Keeps track of each existing user (eg. root) when a login attempt failed.
- Keeps track of each offending host (hosts can be purged )
- Keeps track of suspicious logins
- Keeps track of the file offset, so that you can reparse the same file
- When the log file is rotated, the script will detect it
- Appends /etc/hosts.allow
- Optionally sends an email of newly banned hosts and suspicious logins.
- Resolves IP addresses to hostnames, if you want

WWW:    http://denyhosts.sourceforge.net/

        -------

BruteForceBlocker is a perl script, that works along with pf - OpenBSD's
firewall (Which is also available on FreeBSD since version 5.2 is out).
It's main purpose is to block SSH bruteforce attacks via firewall.
When this script is running, it checks sshd logs from syslog and looks
for Failed Login attempts - mostly some annoying script attacks, and
counts number of such attempts. When given IP reaches configured limit
of fails, script puts this IP to the pf's table and blocks any further
traffic to the that box from given IP (This also depends on
configuration done in pf.conf).

WWW: http://danger.rulez.sk/projects/bruteforceblocker/

Regards,
--
-Chuck



Home | Main Index | Thread Index | Old Index