[opensuse] block failed ssh login attacks? (like fail2ban on ubuntu)
I get gobs of messages like this in /var/log/messages: Dec 19 14:27:41 shoehorn sshd[11058]: Invalid user manager from 200.222.17.14 Dec 19 14:27:44 shoehorn sshd[11062]: Invalid user majordomo from 200.222.17.14 Dec 19 14:27:54 shoehorn sshd[11070]: Invalid user master from 200.222.17.14 Dec 19 14:28:06 shoehorn sshd[11080]: Invalid user named from 200.222.17.14 Dec 19 14:28:09 shoehorn sshd[11084]: Invalid user nasa from 200.222.17.14 Dec 19 14:28:16 shoehorn sshd[11088]: Invalid user netdump from 200.222.17.14 Dec 19 14:28:36 shoehorn sshd[11100]: Invalid user nfsnobody from 200.222.17.14 Dec 19 14:28:39 shoehorn sshd[11104]: Invalid user operator from 200.222.17.14 ... on an older machine, I use fail2ban to look for this kind of harassment and block the IP for some amount of time. Is there anything to accomplish this for SuSE? I'm running SuSE 10.1. Thanks! -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
* fdr-os@corona.imap.cc
Dec 19 14:28:39 shoehorn sshd[11104]: Invalid user operator from 200.222.17.14
... on an older machine, I use fail2ban to look for this kind of harassment and block the IP for some amount of time.
Is there anything to accomplish this for SuSE?
I'm running SuSE 10.1.
me 2 I use DenyHosts, http://www.denyhosts.net but there is no openSUSE rpm for installing. I used the python installer provided with the tar-ball. -- Patrick Shanahan Registered Linux User #207535 http://wahoo.no-ip.org @ http://counter.li.org HOG # US1244711 Photo Album: http://wahoo.no-ip.org/gallery2 OpenSUSE Linux http://en.opensuse.org/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 19/12/06 18:35 -0500, Patrick Shanahan wrote:
* fdr-os@corona.imap.cc
[12-19-06 18:19]: Dec 19 14:28:39 shoehorn sshd[11104]: Invalid user operator from 200.222.17.14
... on an older machine, I use fail2ban to look for this kind of harassment and block the IP for some amount of time.
Is there anything to accomplish this for SuSE?
I use DenyHosts, http://www.denyhosts.net
but there is no openSUSE rpm for installing. I used the python installer provided with the tar-ball.
*unofficial* builds here: http://ftp-1.gwdg.de/pub/opensuse/repositories/home:/countdrunkula/ rgds Craig -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
fdr-os@corona.imap.cc wrote:
I get gobs of messages like this in /var/log/messages:
Dec 19 14:27:41 shoehorn sshd[11058]: Invalid user manager from 200.222.17.14 Dec 19 14:27:44 shoehorn sshd[11062]: Invalid user majordomo from 200.222.17.14 Dec 19 14:27:54 shoehorn sshd[11070]: Invalid user master from 200.222.17.14 Dec 19 14:28:06 shoehorn sshd[11080]: Invalid user named from 200.222.17.14 Dec 19 14:28:09 shoehorn sshd[11084]: Invalid user nasa from 200.222.17.14 Dec 19 14:28:16 shoehorn sshd[11088]: Invalid user netdump from 200.222.17.14 Dec 19 14:28:36 shoehorn sshd[11100]: Invalid user nfsnobody from 200.222.17.14 Dec 19 14:28:39 shoehorn sshd[11104]: Invalid user operator from 200.222.17.14
... on an older machine, I use fail2ban to look for this kind of harassment and block the IP for some amount of time.
Is there anything to accomplish this for SuSE?
fail2ban. Well, seriously, though there is no RPM package for SUSE (well, at least none that I know of), the fail2ban source works quite well. Granted, it would be a very good addition to openSUSE, for a future release or for the build service. Cheers, Joachim -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Joachim Schrod Email: jschrod@acm.org Roedermark, Germany -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wed, Dec 20, 2006 at 02:13:02AM +0100, Joachim Schrod wrote:
fail2ban.
I switched from fail2ban to denyhosts on the 30 or so Linux servers I admin. I much prefer it. Michael -- San Francisco, CA -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
fdr-os@corona.imap.cc wrote:
I get gobs of messages like this in /var/log/messages:
Dec 19 14:27:41 shoehorn sshd[11058]: Invalid user manager from 200.222.17.14 Dec 19 14:27:44 shoehorn sshd[11062]: Invalid user majordomo from 200.222.17.14 Dec 19 14:27:54 shoehorn sshd[11070]: Invalid user master from 200.222.17.14 Dec 19 14:28:06 shoehorn sshd[11080]: Invalid user named from 200.222.17.14 Dec 19 14:28:09 shoehorn sshd[11084]: Invalid user nasa from 200.222.17.14 Dec 19 14:28:16 shoehorn sshd[11088]: Invalid user netdump from 200.222.17.14 Dec 19 14:28:36 shoehorn sshd[11100]: Invalid user nfsnobody from 200.222.17.14 Dec 19 14:28:39 shoehorn sshd[11104]: Invalid user operator from 200.222.17.14
... on an older machine, I use fail2ban to look for this kind of harassment and block the IP for some amount of time.
Is there anything to accomplish this for SuSE?
I'm running SuSE 10.1.
hmm, I always limit the allowed IPs in hosts.{deny.allow} and also limit the list of users who can login via ssh in sshd_config - saves a lot of overhead if we just close the door, rather than trying to dance with these folks... Joe -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
* J Sloan
hmm, I always limit the allowed IPs in hosts.{deny.allow} and also limit the list of users who can login via ssh in sshd_config - saves a lot of overhead if we just close the door, rather than trying to dance with these folks...
Yes, best practice but not practical if you run a server for public access. Or is there a way to *only* block ssh access and allow http? -- Patrick Shanahan Registered Linux User #207535 http://wahoo.no-ip.org @ http://counter.li.org HOG # US1244711 Photo Album: http://wahoo.no-ip.org/gallery2 OpenSUSE Linux http://en.opensuse.org/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 19 Dec 2006, ptilopteri@gmail.com wrote:
Yes, best practice but not practical if you run a server for public access. Or is there a way to *only* block ssh access and allow http?
Yes, use Snort, and tweak the rules to your liking. You can block access by using Flex-reponse (built into Snort) or something like blockit.pl. Charles -- panic("Yeee, unsupported cache architecture."); linux-2.6.6/arch/mips/mm/cache.c
Patrick Shanahan wrote:
* J Sloan
[12-19-06 21:06]: hmm, I always limit the allowed IPs in hosts.{deny.allow} and also limit the list of users who can login via ssh in sshd_config - saves a lot of overhead if we just close the door, rather than trying to dance with these folks...
Yes, best practice but not practical if you run a server for public access. Or is there a way to *only* block ssh access and allow http?
By IP-address with hosts.deny/allow ? Sure. See "man 5 hosts_access". /Per Jessen, Zürich -- http://www.spamchek.com/ - managed email security. Starting at SFr4/user/month. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
fdr-os@corona.imap.cc wrote:
I get gobs of messages like this in /var/log/messages:
Dec 19 14:27:41 shoehorn sshd[11058]: Invalid user manager from 200.222.17.14 Dec 19 14:27:44 shoehorn sshd[11062]: Invalid user majordomo from 200.222.17.14 Dec 19 14:27:54 shoehorn sshd[11070]: Invalid user master from 200.222.17.14 Dec 19 14:28:06 shoehorn sshd[11080]: Invalid user named from 200.222.17.14 Dec 19 14:28:09 shoehorn sshd[11084]: Invalid user nasa from 200.222.17.14 Dec 19 14:28:16 shoehorn sshd[11088]: Invalid user netdump from 200.222.17.14 Dec 19 14:28:36 shoehorn sshd[11100]: Invalid user nfsnobody from 200.222.17.14 Dec 19 14:28:39 shoehorn sshd[11104]: Invalid user operator from 200.222.17.14
... on an older machine, I use fail2ban to look for this kind of harassment and block the IP for some amount of time.
Is there anything to accomplish this for SuSE?
http://lists.suse.com/archive/suse-security/2005-Dec/0069.html This works really well. /Per Jessen, Zürich -- http://www.spamchek.com/ - managed email security. Starting at SFr4/user/month. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Onsdag 20 december 2006 08:23 skrev Charles philip Chan:
On 19 Dec 2006, fdr-os@corona.imap.cc wrote:
Is there anything to accomplish this for SuSE?
I use Snort in conjunction with blockit.pl.
Charles
denyhosts.sourceforge.net -- ------------------------------ Med venlig hilsen/Best regards Verner Kjærsgaard ------------------------------ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (9)
-
Charles philip Chan
-
Craig Millar
-
fdr-os@corona.imap.cc
-
J Sloan
-
Joachim Schrod
-
Michael Nelson
-
Patrick Shanahan
-
Per Jessen
-
Verner Kjærsgaard