[logs] Re: logsurfer and ssh

From: Morten Liebach - TELMORE (mol@private)
Date: Tue Jul 26 2005 - 23:36:23 PDT

I did something similar with OpenBSD and pf (not via. logsurfer), but it
proved quite ineffective and I removed the hack and created a rule which
dropped all packets from Linux hosts destined for port 22, something you
can only do with pf AFAIK.

Here's the rule:

# Don't allow Linux hosts to connect to port 22.
block drop in log on $ext_if proto { tcp, udp } \
    from any os Linux to any port ssh

Of course it's a pretty bad idea if you need access from Linux hosts,
but I don't, so it works fine for me, more than 99% effective.  I can
only remember seeing a single scan getting through in the last 6 months
or so.

Not what you asked for, but it might inspire you or others.

Morten Liebach
System Administrator

-----Original Message-----
From: loganalysis-bounces+mol=telmore.dk@private
[mailto:loganalysis-bounces+mol=telmore.dk@private] On Behalf Of
Tim Sailer
Sent: 26. juli 2005 14:57
To: loganalysis@private
Subject: [logs] logsurfer and ssh

Has anyone developed a logsurfer rule to invoke IPTables
on a Linux box to block the brute force ssh attacks yet?
If so, can you post your work? If not, I'll hack my own and
post it to the list for the archives.


Tim Sailer <sailer@private> 
Information and Special Technologies Program
Office of CounterIntelligence 
Brookhaven National Laboratory  (631) 344-3001
LogAnalysis mailing list
LogAnalysis mailing list

This archive was generated by hypermail 2.1.3 : Wed Jul 27 2005 - 02:51:58 PDT