[Gllug] Throttling failed connections
Jack Bertram
jack at jbertram.net
Thu Feb 24 09:14:51 UTC 2005
A glance through logwatch this morning showed an alarming number of
failed ssh attempts to log in from one IP address. The package is up to
date, so I don't suppose I was in any real danger (they were guessing
lots of different usernames). However, it occurs to me that there must
be a generic way of greylisting IP addresses, so that if you rack up too
many failed logins within a certain time period you are locked out for an
increasing length of time from that IP address until you successfully
log in.
Googling hasn't revealed a canonical way of doing this, but has thrown
out some ideas:
- pam_tally
- implement some sort of port-knocking scheme before opening the ssh
port
- blacklisting IPs
- portsentry
Before I go and do more research, can anyone suggest something that
'just works'?
j
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20050224/52b3a3ba/attachment.pgp>
-------------- next part --------------
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list