LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices



Reply
 
Search this Thread
Old 07-19-2008, 08:52 PM   #31
fotoguy
Senior Member
 
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: KirraMail Live Email Server
Posts: 1,281

Rep: Reputation: 61

I have a little script that I use to scan my log files for people trying to log in to ssh, once they get to a limit of attempts, I then use iptables to block them permantely.


Code:
#!/bin/sh
HOSTSDENY="/etc/hosts.deny"
BADCOUNT="1"
IPTABLES=`which iptables`

cat /var/log/messages | grep "user not found" | tr -c '.[:digit:]' '\n' | grep '^[^.][^.]*\.[^.][^.]*\.[^.][^.]*\.[^.][^.]*$' | sort | uniq -c | sort -n | while read i
do
	# read number of failed attempts
	count=`echo $i | cut -d" " -f1`

	# read ip address from failed attempt
	ip=`echo $i | cut -d" " -f2`

	#check hostdeny file to see if IP already exist
	already=`grep $ip $HOSTSDENY`

	#if IP does not exist add it to hostdeny file
	if [ -z $already ]; then
		if [ $count -ge $BADCOUNT ]; then
			echo "$ip" >> $HOSTSDENY

			# add a rule to iptables to drop
			CHECK_IPTABLES=`$IPTABLES -L -n | grep "$ip"` # check first to see if a rule already exists

			if [ -z $CHECK_IPTABLES ]; then
				$IPTABLES -I INPUT -s $ip -j DROP
			fi
		fi
	fi
done
 
Old 07-20-2008, 08:15 AM   #32
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,791
Blog Entries: 1

Rep: Reputation: 414Reputation: 414Reputation: 414Reputation: 414Reputation: 414
Quote:
Originally Posted by /dev/me
Would it be safe to assume btw that anyone who has the knowledge to move ssh to a different port also has the knowledge to appreciate the value of long and complicated passwords and out-of-the-ordinary login names??
You would think this is true, but I've seen way too many people think that moving the ssh port is all the "security" they need to actually believe it. Most people with this problem are only concerned because of the scary entries in their log files. Once those go away, they make the grand leap to the assumption that they are therefore secure. I've also seen people who should know better argue ferociously that moving the ssh port is all that is needed.
 
  


Reply

Tags
fail2ban, sshd


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
help with my first hack? oldstinkyfish Programming 1 11-13-2004 07:03 AM
Hack this... Pipewrench General 1 10-09-2004 08:02 PM
got hack? deepsix Linux - Software 1 09-16-2003 10:41 PM
what the hack is this? doublefailure Linux - Security 13 04-24-2003 01:23 PM
hack ? spooge Linux - Security 4 01-21-2003 12:54 PM


All times are GMT -5. The time now is 06:52 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration