on sep 25th, 2004
tagged nerd, openbsd
and
never commented on
share this page
these ssh brute force login attempts are really annoying.
jcs@giraffe:~> grep "Sep 25.*Failed password for root" /var/log/messages | wc -l 851
just like spam, most of them come from machines in some far off country that nobody gives a shit about, so reporting them is useless. block one ip and another one hits in a few hours. i'm debating whether to make sshd on all of our servers listen on a different port just so i don't have to see these scroll through in syslog every day. i don't want to have to enable pf on every machine and maintain lists of ip's that can connect to ssh.
it'd be nice to have something that automatically and temporarily drops traffic from offending ip's gathered from multiple sources. like a spammer's ip from postfix, a worm-infected ip from apache, a brute force login attempt from sshd or ftpd, a port-scanning ip from pf, etc. drop traffic after x number of invalid attempts from the same ip, but automatically re-enable access after a certain amount of time. like openvms' intrusion detection, the more invalid attempts, the longer it stays locked.
i'd like to see it in the kernel though, so each daemon just links with a certain library (or put it in libc or something) and calls a function to register an offense from a certain ip. the kernel would handle the tracking of these offenses, dropping traffic as needed and un-blocking after a certain amount of time. it should be configurable with sysctl, too.
leave the first comment or contact me