linux.gentoo.user
back to index
From: 7v5w7go9ub0o <7v5w7go9ub0o@gmail.com>
Date: Wednesday, February 27, 2008 12:20 PM
Subject: [gentoo-user] Re: SSH brute force attacks and blacklist.py
Steve wrote:
> I can't believe that I'm the only person with this, so it's probably
> worth asking.
>
> I'm one of the (many) people who has opportunists trying usernames and
> passwords against SSH... while every effort has been made to secure this
> service by configuration; strong passwords; no root login remotely etc.
> I would still prefer to block sites using obvious dictionary attacks
> against me.
>
> I used to use DenyHosts - but that became annoying as it used rather a
> lot of resources (and relied upon tcp wrappers... which, I'm informed
> are somewhat old-fashioned)
>
> I migrated to try using iptables as my firewall and using blacklist.py -
> which I got working after some minor config-tweaking. I'm aware that
> there is configuration in the blacklist.py script for BLOCKING_PERIOD -
> but what I really miss the "blocked forever" nature of the DenyHosts
> alternative.... though I prefer every other aspect of the
> iptables/blacklist.py approach.
>
> Has anyone else resolved this? As far as I'm concerned, once I detect
> someone has attempted a brute force (which blaclist.py does
> fantastically well) what I want is for no further communication to be
> accepted from the IP address - even after I reboot etc. While I don't
> know which sites I want to be accessible from in advance, I can be sure
> none of them would launch a brute force attack against me. :-)
>
> Recommendations?
If this is a personal or low-user connection, consider fwknop - single
packet authorization port knocking.
- works well for my home box
- the port simply drops pings, connection attempts, etc. 'til "opened"
- fwknop uses pcap to listen for authorization packets; when one comes
through with the correct (encrypted) command, it'll send an iptables
command to temporarily open the port for a designated period of time
allowing you to connect. The encrypted packets include a time of day
field to prevent replay attacks.
http://www.cipherdyne.org/fwknop/download/
>
> I'm looking for the neatest Gentoo way to do this... rather than
> recommendations for how to write something to do what I want from
> scratch...
fwknop is not Gentoo; but compiles cleanly.
HTH
--
gentoo-user@lists.gentoo.org mailing list
