Foil SSH Dictionary Attacks with sshutout
By: Bill DuPree on: Wed 31 of May, 2006 [15:37 UTC] (12258 reads)
This is a Linux daemon, written in C, that periodically monitors log files looking for multiple failed login attempts via the Secure Shell daemon (sshd, or optionally, sshd2). The daemon is meant to mitigate what are commonly known as "dictionary attacks," i.e. scripted brute force attacks that use lists of user ID's and passwords to effect unauthorized intrusions. Typically such attacks fill the system logs with hundreds or even thousands of log entries. Aside from the nuisance of wasted space, wasted bandwidth, and reduced signal to noise ratio in the logs, the attacks can pose a real danger to systems with weak ID and password combinations.
The sshutout daemon blunts such attacks by creating firewall rules to block individual offenders from accessing the system. These rules are created when an attack signature is detected, and after a configurable expiry interval has elapsed, the rules are deleted. More...