Re: Temporarily Disable IP

To: debian-isp@lists.debian.org
Subject: Re: Temporarily Disable IP
From: "Dale E. Martin" <dale@the-martins.org>
Date: Wed, 5 Oct 2005 21:20:20 -0400
Message-id: <[🔎] 20051006012020.GA30549@gerbil.toadis.porkis>
In-reply-to: <[🔎] di14vo$5t2$1@sea.gmane.org>
References: <[🔎] di14vo$5t2$1@sea.gmane.org>

> Is there a way to temporarily disable such IPs which fail to authenticate ?

Doing each of these things has had a dramatic impact on the number of brute
force attempts I see:
1) limit the ips with a blacklist -> at continental granuarity
2) limit the accounts that can login
3) limit the number of attempts to 3 per 5 minutes per ip


1) I used the raw ip blocks from "krfilter" to make a shorewall blacklist
to disallow access from asian ips.  (Not a good idea for a machine serving
web pages or mail of course, this is for a personal machine.)  If someone
has a list of australian, european, etc I'd add those too...

You can get the list I'm using for that from:
http://www.hakusan.tsg.ne.jp/tjkawa/lib/krfilter/uALL.txt

2) I also limit the users with "AllowUsers" in my sshd_config.

3) I followed these directions to get a "3 strikes and you're out for 5
minutes" policy with shorewall (it's not totally spelled out but it will
get you really close):
http://lists.shorewall.net/pipermail/shorewall-users/2005-February/017249.html

Take care,
  Dale
-- 
Dale E. Martin - dale@the-martins.org
http://the-martins.org/~dmartin

Reply to:

References:
- Temporarily Disable IP
  - From: Ritesh Raj Sarraf <riteshsarraf@users.sourceforge.net>

Prev by Date: Re: [OT] _received_ call from toll free ?
Next by Date: Re: [OT] _received_ call from toll free ?
Previous by thread: Re: Temporarily Disable IP
Next by thread: [OT] _received_ call from toll free ?
Index(es):
- Date
- Thread