[LUAU] Handling Brute Force Attacks

gutierrej001 at hawaii.rr.com gutierrej001 at hawaii.rr.com
Wed Jul 27 14:06:12 PDT 2005


I use DenyHosts

What is DenyHosts?
DenyHosts is a script intended to be run by Linux system administrators
to help thwart ssh server attacks.

If you've ever looked at your ssh log (/var/log/secure on Redhat,
/var/log/auth.log on Mandrake, etc...) you may be alarmed to see how
many hackers attempted to gain access to your server. Hopefully, none of
them were successful (but then again, how would you know?). Wouldn't it
be better to automatically prevent that attacker from continuing to gain
entry into your system? 

http://denyhosts.sourceforge.net/

"When I take action I'm not going to fire a $2 million missile at a $10
empty tent and hit a camel in the butt."--

President of the United States,

George W. Bush.

----- Original Message -----
From: "R. Scott Belford" <scott at hosef.org>
Date: Wednesday, July 27, 2005 8:29 am
Subject: [LUAU] Handling Brute Force Attacks

> Slashdot recently referenced a good article about the growing 
> number of 
> Brute Force Attacks against ssh
> 
> http://www.whitedust.net/article/27/Recent%20SSH%20Brute-
> Force%20Attacks/
> 
> Night after night my server is one whose logs fill with thousands 
> of 
> lines like these:
> 
> Security Events
> =-=-=-=-=-=-=-=
> Jul 27 03:02:07 debby sshd[19964]: Failed password for illegal user 
> daisy from ::ffff:217.106.234.86 port 36812 ssh2
> Jul 27 03:02:09 debby sshd[20058]: Failed password for illegal user 
> dorina from ::ffff:217.106.234.86 port 36912 ssh2
> Jul 27 03:02:11 debby sshd[20143]: Failed password for illegal user 
> marian from ::ffff:217.106.234.86 port 37011 ssh2
> Jul 27 03:02:14 debby sshd[20195]: Failed password for illegal user 
> juan 
> from ::ffff:217.106.234.86 port 37114 ssh2
> Jul 27 03:02:16 debby sshd[20243]: Failed password for illegal user 
> don 
> from ::ffff:217.106.234.86 port 37212 ssh2
> 
> 
> I don't allow Root logins and I only allow trusted users.
> 
> How are others handling this?  Do you block the IP address?  If so, 
> does 
> it help, or are you still found by yet another zombie?  Any 
> suggestions 
> or insight are welcome.
> 
> --scott
> _______________________________________________
> LUAU at lists.hosef.org mailing list
> http://lists.hosef.org/cgi-bin/mailman/listinfo/luau
> 



More information about the LUAU mailing list