× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. February 2016

RE: Block SSH brute force

How exactly do you do this? "we reach out to the firewall (Cisco ASA) and drop the door on your toes"
Is it automated using some Cisco provided Firewall web service or API? or do you send an email to your firewall admin who adds the IP block to the firewall?

Mike Cunningham

-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of DrFranken
Sent: Thursday, February 11, 2016 10:48 AM
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Subject: Re: Block SSH brute force

So what we do is monitor the Audit Journal, feed those entries to a data queue, process that queue and log the hits. When you hit the max hits for an IP address (adjustable) we reach out to the firewall (Cisco ASA) and drop the door on your toes. You are now blocked from all ports forever. We do have an 'undo' command for when good guys get blocked though.

This does require a specific PTF on IBM i because without it attempts to connect to SSH that did NOT use a valid IBM i User Profile were not logged to the audit journal. So admin and root and such never logged unless you created a user profile by that name. (WHICH I would recommend against doing frankly.)

- Larry "DrFranken" Bolhuis

www.Frankeni.com
www.iDevCloud.com - Personal Development IBM i timeshare service.
www.iInTheCloud.com - Commercial IBM i Cloud Hosting.

On 2/11/2016 10:28 AM, Aaron Bartell wrote:

I have a machine that consistently has high CPU for SSH jobs(n3) so I
set up logging(n1) to find the culprit. Turns out China is working
overtime to get into this machine. SSH is configured to require keys
and disallow passwords (and other sshd_config settings) so I am not
too concerned about a breach(n2), but the CPU consumption is annoying.

I have a vCloud network appliance sitting in front of the IBM i and
configured a DENY rule for the specific China IP address, but at the
end of the day I still need to allow SSH from a variety of IP addresses.

Are there ways, on IBM i, to automatically blacklist IP addresses that
attempt to log in with "root"?

What do others employ to stop this in a more automatic fashion?


n1 - http://bit.ly/N1014301
n2 - with the exception of the most recent vulnerabilities

n3...
Work with Active Jobs
02/11/16
CPU %: 16.6 Elapsed time: 00:00:00 Active jobs: 205
Current
Opt Subsystem/Job User Type CPU % Function Status
QP0ZSPWP QSECOFR BCI 13.8 PGM-sshd RUN


Aaron Bartell
litmis.com - Services for open source on IBM i

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related questions.

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.