Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: reduction of brute force login attempts via SSHthrough iptables --hashlimit

From: "GroundZero Security" <fd () g-0 org>
Date: Thu, 2 Mar 2006 17:23:51 +0100
Well i dont want to destroy your happy time where you can feel superior, but
if you would read the manpage of lastb you would notice that this approach wont work at all.
lastb just shows successfull logins! not all the attempted logins....we discussed that before though,
so better pay attention next time.

Another thing is that on many systems btmp is not present and thus lastb wouldnt work even if it
would show failed logins.

NAME
       last, lastb - show listing of last logged in users

SYNOPSIS
       last [-R] [-num] [ -n num ] [-adiox] [ -f file ] [name...]  [tty...]
       lastb [-R] [-num] [ -n num ] [ -f file ] [-adiox] [name...]  [tty...]

DESCRIPTION
       Last  searches  back  through  the  file /var/log/wtmp (or the file designated by the -f flag) and displays a 
list of all
users logged in (and out)
       since that file was created.
       ....

as you can see it only logs "logged in" users not all those that tried. so your script is useless.



----- Original Message ----- 
From: "Gary Leons" <tastytastybeef () googlemail com>
To: "GroundZero Security" <fd () g-0 org>
Cc: <full-disclosure () lists grok org uk>
Sent: Thursday, March 02, 2006 4:43 PM
Subject: Re: [Full-disclosure] reduction of brute force login attempts via SSHthrough iptables --hashlimit



On 3/2/06, GroundZero Security <fd () g-0 org> wrote:


After all it works. There are always more ways to do it, but if its -A1 or
-1 really doesnt matter at all, its just you have to be pedantic over it i guess.
Yep im not a bash guru maybe,but i really dont care much for optimization
on a lame script like this as long as it WORKS and is not insecure.


           ^^^^^^^^^^^^^^^
HAH.



If you really think it sucks sooo much that you cant take it, then before you reply to this mail now,
go and optimize it and send your version to FD then you can be happy and feel superior :-)

-sk


#!/bin/sh
for i in `lastb -ai | awk '{print $(NF)}' | sort | uniq -c | sort -n |
awk '{if ($1 >= 7) print $2}'`; do
    if ! grep -q "sshd: ${i}" /etc/hosts.deny; then
        printf "# %s\nsshd: %s\n" "`date`" "${i}" >> /etc/hosts.deny
    fi
done

5 lines, adds hosts with more than 7 failed logins to hosts.deny, run
it from cron.



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: