abuse@ and postmaster@ in the modern world?

Gareth Harper gareth at migcan.com
Fri Nov 17 16:09:30 GMT 2006


Toby Corkindale wrote:

>I get annoyed by people attempting to brute-force my root password via ssh.
>(I just wish they'd realise that I've disabled root logins remotely anyway!)
>I've experimented with rate-limiting the number of ssh connection attempts, but
>this has the side effect of DoS-ing me being able to login myself, unless I
>start using convoluted iptables rules to rate-limit per-IP)
>
>Putting up a temporary (ie 7 days) total IP block on anyone who fails more than
>a few ssh passwords would be better, but I'm not sure how to implement that
>safely.
>
>How do you deal with this annoyance? Or do you just let them hurl themselves
>ineffectively at your passwords, safe in the knowledge that they're about 20
>characters long, and there's no way they'll have guessed it, even after 9000
>attempts.
>
>Toby
>
>
>  
>

Google for login_sentry, it monitors your auth.log file and adds a 
"point" to people failing to login, when they breach the level you set, 
it add's them to hosts.deny for a specific amount of time and them 
removes them again (you can configure the time).  I can provide you with 
my modified slightly version for debian if you like (just mail offlist), 
the only thing I added was the check for illegal user names seemed to be 
failing, so I changed the regex which picked them up.  I have my ban set 
to 30 minutes after scoring 10 points (names like admin, test, apache 
get double points) and having previously seen multi hour long attacks on 
brute forcing my password they're all dealt with in a few seconds now, 
the nice thing is it removes the entry in hosts.deny after the ban 
expires so you don't end up with thousands of entries for dynamic IP's.

Gareth



More information about the london.pm mailing list