Bruce Smith wrote:
I'm sure most people have seen tons of invalid SSH login attempts by some fairly new cracking program that guesses userid's and passwords. The problem is getting worse and more frequent.
I was wondering if there is any way to configure SSH to block an IP after a certain number of invalid logins, for a certain amount of time. (i.e. after 5 bad logins, block the IP for a hour).
Or maybe there is a IDS that can do that? I looked at snort and can't find anything about SSH.
BTW, I'm aware of other ways to make SSH more secure, like not allowing password authentication and only allowing RSA/DSA keys, changing the port SSH listens on, port knocking, etc. I just thought that automatic IP blocking, like I ask about above, would be a good idea under some circumstances.
You can use the iptables "recent" module. Simply filter on new SYN packets to the SSH port and add the bad guy whenever he opens more than X connections in Y seconds to SSH. Stops em dead. You mustn't do it yourself of course. http://www.netfilter.org/documentation/HOWTO//netfilter-extensions-HOWTO-3.h... You'll need to roll your own firewall rules if you don't already. (Unless it is now possible to inject such things in SuSEFirewall2, I don't know, haven't looked at SuSEFirewall in the last 3-4 years :-) ) Also putting SSH on another port than 22 also works. HTH. -- C U - -- ---- ----- -----/\/ René Gallati \/\---- ----- --- -- -