On Wed, May 31, 2006 at 10:19:42PM +0200, Matthias Kilian wrote:
> On Wed, May 31, 2006 at 03:15:34PM -0400, Peter Fraser wrote:
> > Expect I was not clear.
> >
> > Someone is attacking address 1, address 2, address 3, those
> > address are all blocked with respect to ssh. , but because he
> > is attacking those addresses, I want to stop an expected attack
> > on address 4. I never want to pass ssh on address 1, address 2
> > or address 3 ever, I want to use the information that someone
> > was trying to ssh to those address to identify person as
> > an attacker.
>
> Oh, sorry for not reading exactly.
>
> So your problem is that you want to get state for ssh connection
> attempts to addresses 1, 2 and 3 but at the same time want to block
> those connections. This isn't possible (no connection - no state).
>
> (QUICK HACK ALERT)
>
> But it may be possible to redirect those connections to some unused
> port on localhost (i.e. the firewall) let something listen on this
> port, accept everything but immediately closing the connection.
> Then use a simple pass rule with overload and max-src-conn options
> to add offending addresses to your table.
This makes me think of other 'solutions' to this problem - honeyd and
LaBrea. Especially the latter is custom-written for your problem.
Well, it doesn't so much help you as hurt the attacker. But the former
is not really necessary if you have good passwords, or proper
cryptographic authentication, and the latter is fun. ;-)
Of course, both run with quite a bit of privilige, I believe. You may
want to look into either - though LaBrea is the preferable, and simpler,
solution if you just want to tarpit someone.
Joachim
