Hi, i just subscribed and created new email account only for this purpose, to send you an idea (or 2). ;) the problem: i have full logs of intrussions from some automats trying dictionary passwords for other dictionary logins. the status: these are some "actions" during client-server handshaking: 1. client connects 2. client waits for server feedback 3. server responds 4. client sends a login (or keys handshake ...) 5. server accepts the connection and sends back the confirmation 6. communication question I.: what about to add some "delay" as '-' option[s] to sshd that will wait/sleep some nans/tens of seconds between some of these handshakes ? i think it would not be problem to update all the client SW's to accept this option... but in between, some CPU could be used for IDS SW's to indetify the intrussion. to put some iptables -I ... for instance... (i have some own simple IDS and i'm really missing such "delay" and CPU to make an action...) i use login password identification mostly, and i have no problem to wait (if keys) 2-5 seconds for authentification... ... but intrussion SW's don't wait - they just try ... question II.: another possibility ;) what about to add "optional action" as parameter of sshd (could be used for IDS' ) in case of intrussion detection (anyway logged to syslog) to run some rule based "anything" ? br Stanley
On Thu, Sep 29, 2005 at 10:22:03PM +0200, Kaleta Stanley wrote:> what about to add "optional action" as parameter of sshd > (could be used for IDS' ) > in case of intrussion detection (anyway logged to syslog)Both your suggestions have been seen before, and the answer is that OpenSSH already exports the needed information through syslog, and that's where you (and tools) should look in order to make any decisions based on failed logins. //Peter