[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] reduction of brute force login attempts via SSHthrough iptables --hashlimit
- To: "Gary Leons" <tastytastybeef@xxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] reduction of brute force login attempts via SSHthrough iptables --hashlimit
- From: "GroundZero Security" <fd@xxxxxxx>
- Date: Thu, 2 Mar 2006 17:23:51 +0100
Well i dont want to destroy your happy time where you can feel superior, but
if you would read the manpage of lastb you would notice that this approach wont
work at all.
lastb just shows successfull logins! not all the attempted logins....we
discussed that before though,
so better pay attention next time.
Another thing is that on many systems btmp is not present and thus lastb
wouldnt work even if it
would show failed logins.
NAME
last, lastb - show listing of last logged in users
SYNOPSIS
last [-R] [-num] [ -n num ] [-adiox] [ -f file ] [name...] [tty...]
lastb [-R] [-num] [ -n num ] [ -f file ] [-adiox] [name...] [tty...]
DESCRIPTION
Last searches back through the file /var/log/wtmp (or the file
designated by the -f flag) and displays a list of all
users logged in (and out)
since that file was created.
....
as you can see it only logs "logged in" users not all those that tried. so your
script is useless.
----- Original Message -----
From: "Gary Leons" <tastytastybeef@xxxxxxxxxxxxxx>
To: "GroundZero Security" <fd@xxxxxxx>
Cc: <full-disclosure@xxxxxxxxxxxxxxxxx>
Sent: Thursday, March 02, 2006 4:43 PM
Subject: Re: [Full-disclosure] reduction of brute force login attempts via
SSHthrough iptables --hashlimit
> On 3/2/06, GroundZero Security <fd@xxxxxxx> wrote:
> >
> > After all it works. There are always more ways to do it, but if its -A1 or
> > -1 really doesnt matter at all, its just you have to be pedantic over it i
> > guess.
> > Yep im not a bash guru maybe,but i really dont care much for optimization
> > on a lame script like this as long as it WORKS and is not insecure.
>
> ^^^^^^^^^^^^^^^
> HAH.
>
> >
> > If you really think it sucks sooo much that you cant take it, then before
> > you reply to this mail now,
> > go and optimize it and send your version to FD then you can be happy and
> > feel superior :-)
> >
> > -sk
>
> #!/bin/sh
> for i in `lastb -ai | awk '{print $(NF)}' | sort | uniq -c | sort -n |
> awk '{if ($1 >= 7) print $2}'`; do
> if ! grep -q "sshd: ${i}" /etc/hosts.deny; then
> printf "# %s\nsshd: %s\n" "`date`" "${i}" >> /etc/hosts.deny
> fi
> done
>
> 5 lines, adds hosts with more than 7 failed logins to hosts.deny, run
> it from cron.
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/