[lug] Barring the Barbarians

[D. Stimits]

Bill Thoen wrote:
> Last night I the usual round of SSH attacks, but one of them stood out. 
> This particular IP launched 1463 attempts; most of them against the root 
> account. Since I've set root to nologin, and my few real accounts have 
> decent passwords, the attack failed. But I don't really want to sit still 
> while these jerks come out of cyberspace and hammer away all night with a 
> battering ram.
> 
> Is there any way to automatically detect such an attack as it's happening
> and after, say, 5 attempts to break into root within 10 seconds, that the
> offending IP be reclassified so that my server blocks it completely?
> 

You might try snort, it has some very nice abilities. Understanding how 
it works isn't too hard, and just watching it succeed is in many ways 
entertaining.

> It doesn't do any good to put the IP in some "deny" list after the fact, 
> because I've never seen the same attacker twice. I need to stop them as 
> soon as I can see that an attack is under way.

I have not used this yet on my newest installs, but if you have the 
right kernel features enabled, you can track MAC addresses.

> 
> So does anyone know of ways to dynamically alter the defense as needed? Or 
> is the best response still just to keep my shields up? 

Phasers, and reroute power to the root shields. Heh, ok sillly of me. 
Snort can do wonders here. There are a LOT of snort rules though that 
can be added, and as efficient as snort is (very), too many rules will 
add latency. I recommend you install and test snort with *just* ssh 
exploits first, then add rules back in as you go when you find something 
entertaining to foil.

D. Stimits, stimits AT comcast DOT net