[mythtv-users] ssh attack
k.m.fort at gmail.com
Fri Dec 30 10:27:23 EST 2005
In the logs of DenyHosts it does list how many times a username was
attempted. I haven't tried to configure it for blocking on username
failures. It has a default block time of a year, so if you fail to login in
the specified login attempts, you're blocked for a year or that can be
configure. If you are really and truly paranoid of someone logging in as
root or mythtv you can just stop them from logging in from ssh
"Let ye without segmentation fault cast the first int!"
From: mythtv-users-bounces at mythtv.org
[mailto:mythtv-users-bounces at mythtv.org] On Behalf Of
chris at cpr.homelinux.net
Sent: Friday, December 30, 2005 4:40 AM
To: Discussion about mythtv
Subject: Re: [mythtv-users] ssh attack
On Fri, Dec 30, 2005 at 12:12:37AM -0500, George Nassas wrote:
> On 29-Dec-05, at 11:58 PM, Korey Fort wrote:
> >tracks log in attempts, if the
> >account/password is wrong a certain amount of times it will put it in
> >/etc/host.deny file and block them from attempting.
> That's a good idea in general but this particular fellow only tried a
> given login once. Basically root / root then mythtv / mythtv then frank
> / frank, etc...
You've missed the point. These types of packages don't look for
multiple attempts at a single user name. They simply watch the auth
logs and match failures to IPs. Once an IP has accumulated a certain
number of failures within a specified time period, that IP address is
temporarily added to a firewall table to block all further connections.
In your case, root/root is the first failure, mythtv/mythtv is the
second failure, etc.
I use fail2ban to do the same thing. It's highly configurable so you
can adjust the rules to match almost any kind of log file.
Joke template: Three guys walk into a bar. One of them is a wee bit
stupid, and the whole scene unfolds with a tedious inevitability.
More information about the mythtv-users