sshdfilter

[Jeff Vian]

On Mon, 2005-10-03 at 09:49 -0700, Vladimir G. Ivanovic wrote:
> >>>>> "ju" == Jonathan Underwood <j.underwood at open.ac.uk> writes:
> 
>     ju> 
>     ju> Vladimir G. Ivanovic wrote:
>     >> Has anyone ported sshdfilter to FC4? It seems like such a useful
>     >> program now that I'm getting lots of ssh-based attacks.
>     >> http://www.csc.liv.ac.uk/~greg/sshdfilter/
>     >> --- Vladimir
>     >> 
>     ju> 
>     ju> The following provides a similar service:
>     ju> 
>     ju> http://www.aczoom.com/cms/blockhosts/
> 
> I am currently using DenyHosts, but like blockhosts, it is not quite
> the same as sshdfilter. sshdfilter parses the output of sshd and uses
> iptables to block hosts. Both DenyHosts and blockhosts parse the
> system log file and use /etc/hosts.deny to block hosts.
> 
> My sense is that sshdfilter's approach is (somewhat) better.
> 
sshdfilter also has the approach that a block has a limited lifetime
before that IP is allowed access again.  By default it blocks for 3
days, but that is user configurable.

I did not look at what DenyHosts nor blockhosts use in that respect.  If
they do not automatically purge the block at some time the list will get
quite long.  I had to quit using portsentry for that purpose after the
blocked list and rules in iptables and hosts.deny grew to over 5000
entries in a period of less than a year.  Manual editing of the files
became  unwieldy.  Portsentry also cannot monitor ports that are open
for normal services so it would not help in the ssh attacks.