You are viewing a plain text version of this content. The canonical link for it is here.
Posted to infrastructure-issues@apache.org by "Roy T. Fielding (JIRA)" <ji...@apache.org> on 2007/12/03 01:10:43 UTC
[jira] Created: (INFRA-1428) Have sshd tell IPFW to block scanner
IPs
Have sshd tell IPFW to block scanner IPs
----------------------------------------
Key: INFRA-1428
URL: https://issues.apache.org/jira/browse/INFRA-1428
Project: Infrastructure
Issue Type: Wish
Security Level: public (Regular issues)
Components: Infra Wishlist
Reporter: Roy T. Fielding
It would be nice if we could detect an attempt to login to the account 'admin'
and automatically firewall that IP. It is one of the first accounts attempted
by those stupid ssh rootkits.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Issue Comment Edited: (INFRA-1428) Have sshd tell IPFW to
block scanner IPs
Posted by "Noel J. Bergman (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/INFRA-1428?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12564643#action_12564643 ]
noel edited comment on INFRA-1428 at 1/31/08 9:12 PM:
-----------------------------------------------------------------
I run sshblack (http://www.pettingers.org/code/sshblack.html) on multiple systems. It seems both easy to install and suitable in its operation. Do we want to install it on ASF systems?
was (Author: noel):
I run sshblack on multiple systems. It seems both easy to install and suitable in its operation. Do we want to install it on ASF systems?
> Have sshd tell IPFW to block scanner IPs
> ----------------------------------------
>
> Key: INFRA-1428
> URL: https://issues.apache.org/jira/browse/INFRA-1428
> Project: Infrastructure
> Issue Type: Wish
> Security Level: public(Regular issues)
> Components: Infra Wishlist
> Reporter: Roy T. Fielding
>
> It would be nice if we could detect an attempt to login to the account 'admin'
> and automatically firewall that IP. It is one of the first accounts attempted
> by those stupid ssh rootkits.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (INFRA-1428) Have sshd tell IPFW to block scanner
IPs
Posted by "Tony Stevenson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/INFRA-1428?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12631536#action_12631536 ]
Tony Stevenson commented on INFRA-1428:
---------------------------------------
I think we should look at using this tool -> http://sourceforge.net/projects/fail2ban
It not only covers SSH/HTTP/HTTPS - It can be expanded very easily to check any other service that outputs to a log file.
Potentially it could be used to protect rsync, or any other netwrok service.
The problem with SSHblack is that the code is limited to SSH. The author has also produced DABblack. But that is it. No other's included. Maybe that could change with some code hacks.
Fail2Ban can be extended by adding config updates, and using sensible regex.
Working like a charm on my personal servers.
> Have sshd tell IPFW to block scanner IPs
> ----------------------------------------
>
> Key: INFRA-1428
> URL: https://issues.apache.org/jira/browse/INFRA-1428
> Project: Infrastructure
> Issue Type: Wish
> Security Level: public(Regular issues)
> Components: Infra Wishlist
> Reporter: Roy T. Fielding
>
> It would be nice if we could detect an attempt to login to the account 'admin'
> and automatically firewall that IP. It is one of the first accounts attempted
> by those stupid ssh rootkits.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Resolved: (INFRA-1428) Have sshd tell IPFW to block scanner
IPs
Posted by "Tony Stevenson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/INFRA-1428?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Tony Stevenson resolved INFRA-1428.
-----------------------------------
Resolution: Fixed
Assignee: Tony Stevenson
Installed on mino - Looking to rollout further should this trial be successful.
> Have sshd tell IPFW to block scanner IPs
> ----------------------------------------
>
> Key: INFRA-1428
> URL: https://issues.apache.org/jira/browse/INFRA-1428
> Project: Infrastructure
> Issue Type: Wish
> Security Level: public(Regular issues)
> Components: Infra Wishlist
> Reporter: Roy T. Fielding
> Assignee: Tony Stevenson
>
> It would be nice if we could detect an attempt to login to the account 'admin'
> and automatically firewall that IP. It is one of the first accounts attempted
> by those stupid ssh rootkits.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (INFRA-1428) Have sshd tell IPFW to block scanner
IPs
Posted by "Tony Stevenson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/INFRA-1428?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12634128#action_12634128 ]
Tony Stevenson commented on INFRA-1428:
---------------------------------------
fail2ban has now been deployed on mino, as an initial test.
With a few IP addresses banned within the first 12 hours of operation. It is now a case of ensuring that we are using the best regex to catch all the idiots.
> Have sshd tell IPFW to block scanner IPs
> ----------------------------------------
>
> Key: INFRA-1428
> URL: https://issues.apache.org/jira/browse/INFRA-1428
> Project: Infrastructure
> Issue Type: Wish
> Security Level: public(Regular issues)
> Components: Infra Wishlist
> Reporter: Roy T. Fielding
>
> It would be nice if we could detect an attempt to login to the account 'admin'
> and automatically firewall that IP. It is one of the first accounts attempted
> by those stupid ssh rootkits.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (INFRA-1428) Have sshd tell IPFW to block scanner
IPs
Posted by "Noel J. Bergman (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/INFRA-1428?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12564643#action_12564643 ]
Noel J. Bergman commented on INFRA-1428:
----------------------------------------
I run sshblack on multiple systems. It seems both easy to install and suitable in its operation. Do we want to install it on ASF systems?
> Have sshd tell IPFW to block scanner IPs
> ----------------------------------------
>
> Key: INFRA-1428
> URL: https://issues.apache.org/jira/browse/INFRA-1428
> Project: Infrastructure
> Issue Type: Wish
> Security Level: public(Regular issues)
> Components: Infra Wishlist
> Reporter: Roy T. Fielding
>
> It would be nice if we could detect an attempt to login to the account 'admin'
> and automatically firewall that IP. It is one of the first accounts attempted
> by those stupid ssh rootkits.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (INFRA-1428) Have sshd tell IPFW to block scanner
IPs
Posted by "Paul Querna (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/INFRA-1428?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12558838#action_12558838 ]
Paul Querna commented on INFRA-1428:
------------------------------------
We should just block after N attempted logins from the same IP.... lots of tools to do that:
http://freebsdwiki.org/index.php/Block_repeated_illegal_or_failed_SSH_logins
> Have sshd tell IPFW to block scanner IPs
> ----------------------------------------
>
> Key: INFRA-1428
> URL: https://issues.apache.org/jira/browse/INFRA-1428
> Project: Infrastructure
> Issue Type: Wish
> Security Level: public(Regular issues)
> Components: Infra Wishlist
> Reporter: Roy T. Fielding
>
> It would be nice if we could detect an attempt to login to the account 'admin'
> and automatically firewall that IP. It is one of the first accounts attempted
> by those stupid ssh rootkits.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.