What tools are available to automatically firewall a given IP address if it fails to login via SSH a given number of times or any other activity which seems suspicious?
Google didn't seem to turn up much on this topic.
According to John Lange:
What tools are available to automatically firewall a given IP address if it fails to login via SSH a given number of times or any other activity which seems suspicious?
Google didn't seem to turn up much on this topic.
There's a thread of discussion here on that topic:
http://www.webservertalk.com/message962127.html
It mentions pam_abl, which I had happened across just last week, but haven't tried out yet. It's available here:
http://www.hexten.net/sw/pam_abl/index.mhtml
Sadly, I can't seem to find it as a prepackaged rpm for Fedora.
On Thu, 12 May 2005, Gilles Detillieux wrote:
It mentions pam_abl, which I had happened across just last week, but haven't tried out yet. It's available here:
pam_tally works well to stop brute force attacks against users. It locks accounts out after N attempts, rather than the firewall approach. The benefit, though, is that it's part of the standard RedHat/Fedora install.
Sean
Thanks Sean.
Surprising how few tools there are for this purpose.
pam_tally is a start but not really the full solution I was expecting to find.
The theory is simply that once you see suspicious activity of any kind from an IP then there is a good chance that IP is going to scan for other holes as well so you'd want to shut them down early.
Of course any automatic firewall based on attack signatures might then be subject to denial of service because of IP spoofing so perhaps thats why it isn't more common place.
The denial of service potential is even greater with pam_tally than with pam_abl. Anyone from anywhere can cause a particular user to be locked out just by running an attack against that user name. You don't even need to resort to IP spoofing, because as far as I can tell, pam_tally doesn't even keep track of IP addresses - it just locks out usernames that are under attack. Blocking the IP address is a much saner approach, though yes, the problem of IP spoofing could cause trouble if dealing with a determined attacker (as opposed to the automated probing we more commonly see). I believe pam_abl will blacklist the IP from any service that requires PAM-based authentication, though it just maintains its own database of IP addresses and doesn't set up firewall rules to completely block out access from suspect IPs. I suppose the source could fairly easily be customized to do that, though.
On Thursday, May 12, 2005, at 15:20 CDT, John Lange wrote:
Thanks Sean.
Surprising how few tools there are for this purpose.
pam_tally is a start but not really the full solution I was expecting to find.
The theory is simply that once you see suspicious activity of any kind from an IP then there is a good chance that IP is going to scan for other holes as well so you'd want to shut them down early.
Of course any automatic firewall based on attack signatures might then be subject to denial of service because of IP spoofing so perhaps thats why it isn't more common place.
-- John Lange President OpenIT ltd. www.Open-IT.ca (204) 885 0872 VoIP, Web services, Linux Consulting, Server Co-Location
On Thu, 2005-05-12 at 12:13 -0500, Sean A. Walberg wrote:
On Thu, 12 May 2005, Gilles Detillieux wrote:
It mentions pam_abl, which I had happened across just last week, but haven't tried out yet. It's available here:
pam_tally works well to stop brute force attacks against users. It locks accounts out after N attempts, rather than the firewall approach. The benefit, though, is that it's part of the standard RedHat/Fedora install.
Sean
-
Gilles Detillieux -
John Lange -
Sean A. Walberg