[lug] Barring the Barbarians

D. Stimits stimits at comcast.net
Fri Dec 10 15:27:47 MST 2004


Bill Thoen wrote:
> Last night I the usual round of SSH attacks, but one of them stood out. 
> This particular IP launched 1463 attempts; most of them against the root 
> account. Since I've set root to nologin, and my few real accounts have 
> decent passwords, the attack failed. But I don't really want to sit still 
> while these jerks come out of cyberspace and hammer away all night with a 
> battering ram.
> 
> Is there any way to automatically detect such an attack as it's happening
> and after, say, 5 attempts to break into root within 10 seconds, that the
> offending IP be reclassified so that my server blocks it completely?
> 

You might try snort, it has some very nice abilities. Understanding how 
it works isn't too hard, and just watching it succeed is in many ways 
entertaining.

> It doesn't do any good to put the IP in some "deny" list after the fact, 
> because I've never seen the same attacker twice. I need to stop them as 
> soon as I can see that an attack is under way.

I have not used this yet on my newest installs, but if you have the 
right kernel features enabled, you can track MAC addresses.

> 
> So does anyone know of ways to dynamically alter the defense as needed? Or 
> is the best response still just to keep my shields up? 

Phasers, and reroute power to the root shields. Heh, ok sillly of me. 
Snort can do wonders here. There are a LOT of snort rules though that 
can be added, and as efficient as snort is (very), too many rules will 
add latency. I recommend you install and test snort with *just* ssh 
exploits first, then add rules back in as you go when you find something 
entertaining to foil.

D. Stimits, stimits AT comcast DOT net



More information about the LUG mailing list