[NBLUG/talk] opensshd delay after fail

Bob Blick bblick at sonic.net
Wed Oct 19 10:18:16 PDT 2005


> What about some dynamic iptables rules using the TARPIT target?
>
> Watch the logs for failed login attempts, or logins that don't exist
> on your system, and then tarpit 'em.

First, thanks to all who have responded. Lots of ideas I would never have
thought of myself.

My original idea was to patch or find a patched version of opensshd, but
after reading all the great replies, that doesn't seem like the best way
to go.

Denying, either through hosts.deny or iptables, seems like the best thing
to do, with /var/log/messages as the source.

I don't want to block an ip address on just one bad attempt. I make
spelling errors and so do others.

But I also want to be fast responding, so a cron job that analyzes the log
doesn't appeal to me.

For inspiration I'm going to search and see what other people have done
and then see if I can put together something in perl that will work in
realtime, tolerate a few bad login attempts, and then append the
hosts.deny file.

I'll try it on my test machine first :) And if it works I'll pass it along.

Cheerful regards,

Bob







More information about the talk mailing list