Failed attempts, block address
Hi list, Been getting a ton of attempts on my ssh/ftp connections as of late, first they started with the usual script kids trying the admin/guest/etc on the ssh connection, now i get people trying all sorts of stupid usernames with blank passwords on the ftp connection. 1. Is there a way to block an IP, either perm. or for set period of time for SSH attempts 2. Is there a simular way for VSFTP I'm sure i could block the address's manually, but i'd like it if it was automated? say for 6 attempts? Matt SuSE 9.1 --------------------------------- Do you Yahoo!? Yahoo! Mail - You care about security. So do we.
MB schrieb am 08/19/2004 08:40 PM:
1. Is there a way to block an IP, either perm. or for set period of time for SSH attempts
AFAIK not directly, but you could do it using iptables. If you get a lot of these automatic tries: Why not configure vsftp and ssh to listen to a non-standard port? Michael.
Ime, the combination of cron and iptables does the trick. A small shell script is required to grep logs (don't forget a log rule in iptables) and add the rules in. As for SSH, I myself strongly recommend setting port 22 allowed to several trusted IP addresses, and block the rest. Thus, from an "untrusted" site you'll have to make a connection to a trusted server (over VPN? SSH? whatever, as long as it's secure, really), and from *there* connect to your server. Inconvenient? Add your home and working IPs into the allowed list. Secure? No! More secure than a world-open port? For the most part - yes. On Thursday 19 August 2004 20:40, MB wrote:
Hi list,
Been getting a ton of attempts on my ssh/ftp connections as of late, first they started with the usual script kids trying the admin/guest/etc on the ssh connection, now i get people trying all sorts of stupid usernames with blank passwords on the ftp connection.
1. Is there a way to block an IP, either perm. or for set period of time for SSH attempts 2. Is there a simular way for VSFTP
I'm sure i could block the address's manually, but i'd like it if it was automated? say for 6 attempts?
Matt SuSE 9.1
--------------------------------- Do you Yahoo!? Yahoo! Mail - You care about security. So do we.
On Thursday 19 August 2004 20:40, MB wrote:
Hi list,
Been getting a ton of attempts on my ssh/ftp connections as of late, first they started with the usual script kids trying the admin/guest/etc on the ssh connection, now i get people trying all sorts of stupid usernames with blank passwords on the ftp connection.
1. Is there a way to block an IP, either perm. or for set period of time for SSH attempts 2. Is there a simular way for VSFTP
I'm sure i could block the address's manually, but i'd like it if it was automated? say for 6 attempts?
I've read that "port knocking" can help with this problem. You might investigate that. HTH, Kevin
How do I get to check browsing activity on my server and therefore apply policies? Paul
How do I get to check browsing activity on my server and therefore apply policies? If you mean web-browsing, check out the squid log files and ACL's in /etc/squid.conf. If you don't use a web proxy yet, you will have to use one.
For example, I blocked people in my company from using internet explorer with squid: http://gaugusch.at/squid.shtml Markus
Hmm, sounds like that'll work, only most of the time I would be connecting from an untrusted site because i'd need a file or something at that site while i was working there, i currently don't have any "buddy's" that have a spare shell. As far as ftp goes, again I could connect to someone else's and then to mine but that's a pain, so i'm assuming there is no automated way, i'll look into these suggestions that ya'll have made, thanks again. More then likely get a friend to get un-lazy and make an account. As far as the other email stating changing my ports, that would've been done right away only the people i give access to these files wouldn't know the first thing about changing the port on their "client" and would call and cry ya'll know how it is. Security vs Use-ability Maxim A Belushkin <m.belushkin@fz-juelich.de> wrote: Ime, the combination of cron and iptables does the trick. A small shell script is required to grep logs (don't forget a log rule in iptables) and add the rules in. As for SSH, I myself strongly recommend setting port 22 allowed to several trusted IP addresses, and block the rest. Thus, from an "untrusted" site you'll have to make a connection to a trusted server (over VPN? SSH? whatever, as long as it's secure, really), and from *there* connect to your server. Inconvenient? Add your home and working IPs into the allowed list. Secure? No! More secure than a world-open port? For the most part - yes. On Thursday 19 August 2004 20:40, MB wrote:
Hi list,
Been getting a ton of attempts on my ssh/ftp connections as of late, first they started with the usual script kids trying the admin/guest/etc on the ssh connection, now i get people trying all sorts of stupid usernames with blank passwords on the ftp connection.
1. Is there a way to block an IP, either perm. or for set period of time for SSH attempts 2. Is there a simular way for VSFTP
I'm sure i could block the address's manually, but i'd like it if it was automated? say for 6 attempts?
Matt SuSE 9.1
--------------------------------- Do you Yahoo!? Yahoo! Mail - You care about security. So do we.
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here --------------------------------- Do you Yahoo!? Yahoo! Mail - 50x more storage than other providers!
I have probably missed previous conversations of this, but the following files (installed on my SuSe 9.1 as a requirement for another package or set of packages) were installed world-writable. theoretical 'cat /dev/zero > /var/lib/texmf/db/ls-R' ? One can either chattr them append-only or remove "other" write perms. I did the latter and will wait to see what I broke :) This has plagued some of the other distro's, and i believe they fixed theirs. Dunno if TeTex fixed in the CSV's, etc. /var/cache/fonts/ls-R /var/lib/texmf/db/ls-R /var/lib/texmf/ls-R
participants (7)
-
Curt Bryson -
Kevin Brannen -
Markus Gaugusch -
Maxim A Belushkin -
MB -
Michael Schachtebeck -
Paul Ikanza