OT: New article: Let's block cracker using denyhosts

[jdow]

From: "Fajar Priyanto" <fajarpri at cbn.net.id>

> On Thursday 30 March 2006 11:24 pm, Paul Howarth wrote:
>> > rpm -qa | grep denyhosts
>> > denyhosts-2.2-1.2.fc4.rf
>> >
>> > Also the initscript is not installed too.
>> > That's why I set it up manually then.
>>
>> That'll be because you've got the rpmforge version of the package rather
>> than the Fedora Extras one.
> 
> Ohhh! No wonder there were two packages when I did yum search denyhosts, and 
> apparently when I used the yum install denyhosts, yum downloaded the rpmforge 
> one.
> denyhosts.noarch    2.2-1.2.fc4.rf         dries
> denyhosts.noarch    2.0-1.fc4              extras
> 
> But, why did yum choose the rpmforge? Is it the version?
> -- 
> Fajar Priyanto | Reg'd Linux User #327841 | Linux tutorial 

For those using REAL IPTables instead of one of the silly ShoreWall type
futilities:

===8<--- 
# Then setup the ssh reject trap.
$IPTABLES -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
  --rcheck --seconds 120 --hitcount 3 -j LOG --log-prefix 'SSH REJECT: '
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
  --rcheck --seconds 120 --hitcount 3 -j REJECT --reject-with tcp-reset
===8<---

With the values present a given site gets three tries within a 120 second
interval. Once that is exceeded it is locked out until the retry count
drops below 3 in 2 minutes. This means ALL attacks get blocked. It also
means that if you screw up your password three times you can still get in
if you wait a little bit.

I tend to review the logs which show the failed login attempts. If I find
an address in a part of the world where I am VERY unlikely to find myself
I simply add that whole Asian IP block to a reject rule. But really, at
30 seconds per try how long do you think it would take to guess a user
password of "abcdefgh" when the user name is not known, either?

{^_-}