[lug] Barring the Barbarians

Bill Thoen bthoen at gisnet.com
Fri Dec 10 07:41:15 MST 2004


Last night I the usual round of SSH attacks, but one of them stood out. 
This particular IP launched 1463 attempts; most of them against the root 
account. Since I've set root to nologin, and my few real accounts have 
decent passwords, the attack failed. But I don't really want to sit still 
while these jerks come out of cyberspace and hammer away all night with a 
battering ram.

Is there any way to automatically detect such an attack as it's happening
and after, say, 5 attempts to break into root within 10 seconds, that the
offending IP be reclassified so that my server blocks it completely?

It doesn't do any good to put the IP in some "deny" list after the fact, 
because I've never seen the same attacker twice. I need to stop them as 
soon as I can see that an attack is under way.

So does anyone know of ways to dynamically alter the defense as needed? Or 
is the best response still just to keep my shields up? 

- Bill Thoen





More information about the LUG mailing list