|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
What to do with zombie ssh connections...tarpit?
From: Myk Taylor (myk
ucla.edu)
Date: Thu Jun 02 2005 - 00:39:36 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
With OpenBSD 3.7 I can finally easily detect and block those annoying
ssh scanning zombies with the following pf rule:
pass in on $ext_if proto tcp from any to ($ext_if) port ssh \
flags S/SA keep state (max-src-conn-rate 5/60, \
overload <zombies> flush global)
then I can block all IPs in the <zombies> table (I automatically phase
IPs out of the table after a couple days in daily.local). This is all
fine and good for my server, but I'd rather tarpit the suckers instead
of blocking them outright after 5 connections. It would be easy to rdr
them to a tarpit process, but I haven't seen any tarpits on the web that
simulate ssh servers.
I think ideally there could be a public honeypot server somewhere I
could redirect them to, where their IPs and activity could be centrally
logged and email could be automatically sent to the abuse address in
the whois(1) entry. I'm doing this manually for the ~2 zombies daily I
discover, but it's a bit tedious.
So what's the best solution here? Is there a better way than hacking
the sshd source to unconditionally sleep for 20s and return failure?
- --myk
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCnpuXBOPsJyAQkeARAkEeAKDEJBfnnr/3DjCYo0SF5wdWW2430wCghEk+
xL7LiYzbnbr5xqkIK5+bCy8=
=3rIG
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]