[Freedombox-discuss] Block brute force login attacks?
Rodrigo Campos
rodrigo at sdfg.com.ar
Wed Mar 19 12:11:45 UTC 2014
On Tue, Mar 18, 2014 at 10:45:19PM +0100, Anders Jackson wrote:
>
> Den 18 mar 2014 22:18 skrev "Petter Reinholdtsen" <pere at hungry.com>:
> >
> > [Anders Jackson]
> > > This can be done directly by iptables, (but not yet with iptables6 for
> > > ip6tables ).
> > >
> > > So I would suggest using a firewall utility instead, like ufw or
> > > shorewall.
> >
> > This sound interesting. How can iptables know that the login attempt
> > failed? My idea is to block too many failed connections, not "too
> > many" connections, as a script with ssh-agent backing might well
> > connect many times in a short while if the task is right.
>
> Ok, I didn't thought about that use case.
> I never used that other than over LAN, not over internet connections. I just
> thought about sftp and ssh terminal connection, which usually is longer.
> To know the difference between missed logins and short valid ssh connections
> you'll need something else than iptables. Something that analyse log files or
> actually knows when login fails.
fail2ban does this, parses several services logs (you choose which, by default
only ssh IIRC) and adds an iptables rule blocking that IP for X minutes when
needed.
Well, actually the action (block using iptables) can be configured, but iptables
is an option (the default for ssh IIRC too :) and comes with some pre-defined
actions and filters (i.e. to parse several logs from different daemons)
Thanks,
Rodrigo
More information about the Freedombox-discuss
mailing list