Automatic blocking of attackers' IP

Hi,

I would like to have the following scenario implemented on my network:

1.
Someone tries repeatedly and illegally to log in as 'admin', 'root' or
whatever from some IP using SSH (or any other means).

2.
When the number of attempts reaches a predefined trigger level, an action
occurs (a script is executed, etc.)

The definition of attempts, the trigger level and the resulting action
should be configurable.

Is a watchdog like that that would fulfill my requirements available
somewhere out there or do I have to sit down and start scripting?

Thanks


Frank Bures, <(E-Mail Removed)>

"FEEB" <(E-Mail Removed)> wrote in
news:(E-Mail Removed) .utoronto.ca:

> Hi,
>
> I would like to have the following scenario implemented on my network:
>
> 1.
> Someone tries repeatedly and illegally to log in as 'admin', 'root' or
> whatever from some IP using SSH (or any other means).

Why not just set hosts.deny to ALL: ALL and then open up only those IPs or
domains you wish to allow in hosts.allow?

--
- Mark ->
--

"FEEB" <(E-Mail Removed)> wrote in
news:(E-Mail Removed) .utoronto.ca:

> 1.
> Someone tries repeatedly and illegally to log in as 'admin', 'root' or
> whatever from some IP using SSH (or any other means).
>
> 2.
> When the number of attempts reaches a predefined trigger level, an
> action occurs (a script is executed, etc.)

I know its out there. Ive seen it. Im on my way out or I would search for
it. I would tend to write my own anyway so Im pretty sure I didnt install
it.

Gandalf Parker
-- the music should always change when..
Someone in a horror movie says "We should be safe here"
Someone driving says "Ive never had an accident"
Some computer user says "My machine is secure"

On 7 Sep 2004 15:07:27 GMT, Mark A. Odell wrote:

>"FEEB" <(E-Mail Removed)> wrote in
>news:(E-Mail Removed) m.utoronto.ca:
>
>> Hi,
>>
>> I would like to have the following scenario implemented on my network:
>>
>> 1.
>> Someone tries repeatedly and illegally to log in as 'admin', 'root' or
>> whatever from some IP using SSH (or any other means).
>
>Why not just set hosts.deny to ALL: ALL and then open up only those IPs
or
>domains you wish to allow in hosts.allow?

We must be open to anyone. That's our business :-)




Frank Bures, <(E-Mail Removed)>

"FEEB" <(E-Mail Removed)> wrote in
news:(E-Mail Removed) .utoronto.ca:

>>> I would like to have the following scenario implemented on my network:
>>>
>>> 1.
>>> Someone tries repeatedly and illegally to log in as 'admin', 'root' or
>>> whatever from some IP using SSH (or any other means).
>>
>>Why not just set hosts.deny to ALL: ALL and then open up only those IPs
> or
>>domains you wish to allow in hosts.allow?
>
> We must be open to anyone. That's our business :-)

Ah. Then just put the bad IP or IP range into the hosts.deny. Of course
this won't scale well for many IP addresses.

--
- Mark ->
--

On 7 Sep 2004 16:56:58 GMT, Mark A. Odell wrote:

>"FEEB" <(E-Mail Removed)> wrote in
>news:(E-Mail Removed) m.utoronto.ca:
>
>>>> I would like to have the following scenario implemented on my
network:
>>>>
>>>> 1.
>>>> Someone tries repeatedly and illegally to log in as 'admin', 'root'
or
>>>> whatever from some IP using SSH (or any other means).
>>>
>>>Why not just set hosts.deny to ALL: ALL and then open up only those IPs
>> or
>>>domains you wish to allow in hosts.allow?
>>
>> We must be open to anyone. That's our business :-)
>
>Ah. Then just put the bad IP or IP range into the hosts.deny. Of course
>this won't scale well for many IP addresses.

It would be quite inconvenient in our case of 4 full C-blocks.

The mechanism of blocking the intruder is available. However, I want to
do it automatically and only after the certain trigger level has been
reached. I know how to do it, I just do not want to reinvent the wheel.


Frank Bures, <(E-Mail Removed)>

On Tue, 07 Sep 2004 09:53:31 -0400, FEEB wrote:

> Hi,
>
> I would like to have the following scenario implemented on my network:
>
> 1.
> Someone tries repeatedly and illegally to log in as 'admin', 'root' or
> whatever from some IP using SSH (or any other means).
>
> 2.
> When the number of attempts reaches a predefined trigger level, an action
> occurs (a script is executed, etc.)
>
> The definition of attempts, the trigger level and the resulting action
> should be configurable.
>
> Is a watchdog like that that would fulfill my requirements available
> somewhere out there or do I have to sit down and start scripting?

1. Rate Limit SSH connections with IPTables. You can use Traffic shaping
to get fine grain control if that isn't enough.

2. Use Swatch to monitor your SSH log file for failed connections. Tell it
to use IPTables to drop traffic from IP's that appear too often. There's
an example in the config that almost does this for you already.

http://swatch.sourceforge.net/

--
BOFH Excuse #205:

Quantum dynamics are affecting the transistors

"FEEB" <(E-Mail Removed)> writes:

]On 7 Sep 2004 15:07:27 GMT, Mark A. Odell wrote:

]>"FEEB" <(E-Mail Removed)> wrote in
]>news:(E-Mail Removed) m.utoronto.ca:
]>
]>> Hi,
]>>
]>> I would like to have the following scenario implemented on my network:
]>>
]>> 1.
]>> Someone tries repeatedly and illegally to log in as 'admin', 'root' or
]>> whatever from some IP using SSH (or any other means).
]>
]>Why not just set hosts.deny to ALL: ALL and then open up only those IPs
]or
]>domains you wish to allow in hosts.allow?

]We must be open to anyone. That's our business :-)

Then why are you asking how to close yourself to some?
Sounds like a DOS would be possible if you impliment what you want (ie from
a machine that you need, an attacker tries to log onto your system a number
of times, and thus closes off that machine entirely). .
Anyway, why does it matter? Is your root password weak enough that you are
afraid someone could guess it? Also you could just institute norootlogins
in ssh and then they could not succeed even if they got the password.


What I am far more concerned about is that places are putting up firewalls
which block out ssh. I was just in an airline lounge in Sao Paulo, where
their firewall blocks outgoing ssh, which meant I could not log onto my
home machine at all.

"FEEB" <(E-Mail Removed)> writes:

]On 7 Sep 2004 16:56:58 GMT, Mark A. Odell wrote:

]>"FEEB" <(E-Mail Removed)> wrote in
]>news:(E-Mail Removed) m.utoronto.ca:
]>
]>>>> I would like to have the following scenario implemented on my
]network:
]>>>>
]>>>> 1.
]>>>> Someone tries repeatedly and illegally to log in as 'admin', 'root'
]or
]>>>> whatever from some IP using SSH (or any other means).
]>>>
]>>>Why not just set hosts.deny to ALL: ALL and then open up only those IPs
]>> or
]>>>domains you wish to allow in hosts.allow?
]>>
]>> We must be open to anyone. That's our business :-)
]>
]>Ah. Then just put the bad IP or IP range into the hosts.deny. Of course
]>this won't scale well for many IP addresses.

]It would be quite inconvenient in our case of 4 full C-blocks.

What? You have four full C blocks all of which you want to deny? (actually
that is easy, since you can put nets into hosts.deny, not just host
addresses). I think you need to make clearer what you want to do and why
you want to do it.


]The mechanism of blocking the intruder is available. However, I want to
]do it automatically and only after the certain trigger level has been

Again, why?

"FEEB" <(E-Mail Removed)> wrote in message news:<(E-Mail Removed) m.utoronto.ca>...
> Hi,
>
> I would like to have the following scenario implemented on my network:
>
> 1.
> Someone tries repeatedly and illegally to log in as 'admin', 'root' or
> whatever from some IP using SSH (or any other means).
>
> 2.
> When the number of attempts reaches a predefined trigger level, an action
> occurs (a script is executed, etc.)
>
> The definition of attempts, the trigger level and the resulting action
> should be configurable.
>
> Is a watchdog like that that would fulfill my requirements available
> somewhere out there or do I have to sit down and start scripting?
>
> Thanks
>
>
> Frank Bures, <(E-Mail Removed)>

http://www.cipherdyne.org/index.html