So what we do is monitor the Audit Journal, feed those entries to a data queue, process that queue and log the hits. When you hit the max hits for an IP address (adjustable) we reach out to the firewall (Cisco ASA) and drop the door on your toes. You are now blocked from all ports forever. We do have an 'undo' command for when good guys get blocked though.

This does require a specific PTF on IBM i because without it attempts to connect to SSH that did NOT use a valid IBM i User Profile were not logged to the audit journal. So admin and root and such never logged unless you created a user profile by that name. (WHICH I would recommend against doing frankly.)

- Larry "DrFranken" Bolhuis

www.Frankeni.com
www.iDevCloud.com - Personal Development IBM i timeshare service.
www.iInTheCloud.com - Commercial IBM i Cloud Hosting.

On 2/11/2016 10:28 AM, Aaron Bartell wrote:

I have a machine that consistently has high CPU for SSH jobs(n3) so I set
up logging(n1) to find the culprit. Turns out China is working overtime to
get into this machine. SSH is configured to require keys and disallow
passwords (and other sshd_config settings) so I am not too concerned about
a breach(n2), but the CPU consumption is annoying.

I have a vCloud network appliance sitting in front of the IBM i and
configured a DENY rule for the specific China IP address, but at the end of
the day I still need to allow SSH from a variety of IP addresses.

Are there ways, on IBM i, to automatically blacklist IP addresses that
attempt to log in with "root"?

What do others employ to stop this in a more automatic fashion?


n1 - http://bit.ly/N1014301
n2 - with the exception of the most recent vulnerabilities

n3...
Work with Active Jobs
02/11/16
CPU %: 16.6 Elapsed time: 00:00:00 Active jobs: 205
Current
Opt Subsystem/Job User Type CPU % Function Status
QP0ZSPWP QSECOFR BCI 13.8 PGM-sshd RUN


Aaron Bartell
litmis.com - Services for open source on IBM i


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.