Anders B Jansson wrote:
The purpose of this wasn't to reinvent the wheel. It was to allow those using the tool to report the addresses of anyone brute forcing ssh. These addresses are going to be posted for others to see. Something like an RBL for brute forcers.Just one possibly silly question. Why are you working so hard to do this with complex scripts and stuff? I just wrote a little C snippet that runs on the firewall. All servers allowing external ssh send a copy of ssh auth to a port on the firewall. If it detects a brute force it adds the host to the block list and everything from that host is silently dropped. Added a whitelist function to avoid DOS attempts. Works perfect, and adds community service by letting the trawlers hang until they timeout.
-- ==================================================== J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743sil . infiltrated @ net http://www.infiltrated.net
The happiness of society is the end of government. John Adams
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/