, SecurityFocus 2008-05-14
Allowing secure shell access to a server tends to attract the occasional attempt to guess a valid username and password for the service. However, a spike in attacks this week has system administrators worried.
Expand all |
Post comment
In a nutshell, this is a shell script run via cron that parses log files to detect multiple login attempts within a short period of time that would indicate a brute force attack. Upon detecting such an event, depending on how you configure the script, it will add a DENY statement to hosts.deny, or if you also downloaded their small firewall implementation (AFP) to work in concert with BFD, it will dynamically add a firewall rule to block further attempts from that IP address. I eschewed their firewall and just changed the script to add an IPTABLES DENY rule to the host-based IPTABLES firewall setup. It works not only with SSH, but with most FTP servers as well, and probably other apps/daemons that require logins. It works very well, is free, and provides peace of mind, what could be better?
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/articles/11518/35098#35098