[lug] SSH Probing Solution using IPTables

George Sexton gsexton at mhsoftware.com
Wed Sep 14 10:26:29 MDT 2005

> -----Original Message-----
> From: lug-bounces at lug.boulder.co.us 
> [mailto:lug-bounces at lug.boulder.co.us] On Behalf Of Dan Ferris
> Sent: Wednesday, September 14, 2005 9:25 AM
> To: Boulder (Colorado) Linux Users Group -- General Mailing List
> Subject: Re: [lug] SSH Probing Solution using IPTables
> Have you tried to tarpit those and run ssh on another port?
> Dan

No, I'm afraid I haven't. I just don't have the time or inclination to burn
the bandwidth/cpu/brainpower for this kind of pursuit. I looked at LaBrea.
It just doesn't look like the kind of software I want to run on production
servers. I did some testing by scripting OpenSSH and found that it takes 3
minutes for OpenSSH to time out on the connection attempt. I suppose hackers
could adjust this value. It still is going to tie up the script for some
period of time.

Running SSH on non-standard ports is an option, but then if you are behind
someone else's firewall, you probably won't get through. It's the curse and
blessing of well known ports.

> George Sexton wrote:
> >I've gotten tired of looking at hundreds or thousands of 
> probe attempts in
> >my server logs lately. I was toying with the idea of writing 
> a monitor app
> >that would look at the server logs, and create a customer 
> firewall rule that
> >would block the IP after so many failed attempts.

George Sexton
MH Software, Inc.
Voice: 303 438 9585

More information about the LUG mailing list