[mythtv-users] ssh attack

[Korey Fort]

In the logs of DenyHosts it does list how many times a username was
attempted. I haven't tried to configure it for  blocking on username
failures.  It has a default block time of a year, so if you fail to login in
the specified login attempts, you're blocked for a year or that can be
configure.  If you are really and truly paranoid of someone logging in as
root or mythtv you can just stop them from logging in from ssh 
(
http://www.ssh.com/support/documentation/online/ssh/adminguide/32/Restrictin
g_User_Logins.html ).

"Let ye without segmentation fault cast the first int!"

Korey Fort
-----Original Message-----
From: mythtv-users-bounces at mythtv.org
[mailto:mythtv-users-bounces at mythtv.org] On Behalf Of
chris at cpr.homelinux.net
Sent: Friday, December 30, 2005 4:40 AM
To: Discussion about mythtv
Subject: Re: [mythtv-users] ssh attack

On Fri, Dec 30, 2005 at 12:12:37AM -0500, George Nassas wrote:
> On 29-Dec-05, at 11:58 PM, Korey Fort wrote:
> >tracks log in attempts, if the
> >account/password is wrong a certain amount of times it will put it in
> >/etc/host.deny file and block them from attempting.
> That's a good idea in general but this particular fellow only tried a 
> given login once. Basically root / root then mythtv / mythtv then frank 
> / frank, etc...

You've missed the point.  These types of packages don't look for
multiple attempts at a single user name.  They simply watch the auth
logs and match failures to IPs.  Once an IP has accumulated a certain
number of failures within a specified time period, that IP address is
temporarily added to a firewall table to block all further connections.
In your case, root/root is the first failure, mythtv/mythtv is the
second failure, etc.

I use fail2ban to do the same thing.  It's highly configurable so you
can adjust the rules to match almost any kind of log file.

-- 
Joke template: Three guys walk into a bar. One of them is a wee bit
stupid, and the whole scene unfolds with a tedious inevitability.