[lug] Barring the Barbarians

William M. Jarosko Jr wjarosko at earthlink.net
Sat Dec 11 11:34:12 MST 2004 

You could also use portsentry in combination with snort.  It may not do
everything you need but it will stop a lot.  Of course YMMV as I don't know
what distro you use or if it will even compile under said distro.

http://sourceforge.net/projects/sentrytools/



-----Original Message-----
From: lug-bounces at lug.boulder.co.us [mailto:lug-bounces at lug.boulder.co.us]
On Behalf Of D. Stimits
Sent: Friday, December 10, 2004 3:28 PM
To: Boulder (Colorado) Linux Users Group -- General Mailing List
Subject: Re: [lug] Barring the Barbarians

Bill Thoen wrote:
> Last night I the usual round of SSH attacks, but one of them stood out. 
> This particular IP launched 1463 attempts; most of them against the root 
> account. Since I've set root to nologin, and my few real accounts have 
> decent passwords, the attack failed. But I don't really want to sit still 
> while these jerks come out of cyberspace and hammer away all night with a 
> battering ram.
> 
> Is there any way to automatically detect such an attack as it's happening
> and after, say, 5 attempts to break into root within 10 seconds, that the
> offending IP be reclassified so that my server blocks it completely?
> 

You might try snort, it has some very nice abilities. Understanding how 
it works isn't too hard, and just watching it succeed is in many ways 
entertaining.

> It doesn't do any good to put the IP in some "deny" list after the fact, 
> because I've never seen the same attacker twice. I need to stop them as 
> soon as I can see that an attack is under way.

I have not used this yet on my newest installs, but if you have the 
right kernel features enabled, you can track MAC addresses.

> 
> So does anyone know of ways to dynamically alter the defense as needed? Or

> is the best response still just to keep my shields up? 

Phasers, and reroute power to the root shields. Heh, ok sillly of me. 
Snort can do wonders here. There are a LOT of snort rules though that 
can be added, and as efficient as snort is (very), too many rules will 
add latency. I recommend you install and test snort with *just* ssh 
exploits first, then add rules back in as you go when you find something 
entertaining to foil.

D. Stimits, stimits AT comcast DOT net
_______________________________________________
Web Page:  http://lug.boulder.co.us
Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
Join us on IRC: lug.boulder.co.us port=6667 channel=#colug

More information about the LUG mailing list