[Gllug] Throttling failed connections
Chris Bell
chrisbell at overview.demon.co.uk
Thu Feb 24 10:15:57 UTC 2005
On Thu 24 Feb, Jack Bertram wrote:
> A glance through logwatch this morning showed an alarming number of
> failed ssh attempts to log in from one IP address. The package is up to
> date, so I don't suppose I was in any real danger (they were guessing
> lots of different usernames). However, it occurs to me that there must
> be a generic way of greylisting IP addresses, so that if you rack up too
> many failed logins within a certain time period you are locked out for an
> increasing length of time from that IP address until you successfully
> log in.
>
> Googling hasn't revealed a canonical way of doing this, but has thrown
> out some ideas:
> - pam_tally
> - implement some sort of port-knocking scheme before opening the ssh
> port
> - blacklisting IPs
> - portsentry
>
> Before I go and do more research, can anyone suggest something that
> 'just works'?
>
> j
>
>
IPCop uses snort. It takes an old box, network intercons, and about half
an hour to set up an IPCop firewall. Snort is not turned on by default, and
you can collect updated rulesets on-line, iptables are included by default,
with plenty of easy gui pages accessible from your main computer.
--
Chris Bell
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list