I like this solution. Even if I don't automatically add a rule to the
network appliance I could still shoot off an email to myself for
problematic IPs. Though if Tim Bronski's response is true then I will
eventually need to automate it otherwise it will be a daily task.

The switching of SSH ports is also something I've done for other machines
though found articles chastising the practice for it not being a purist
solution (but hey, if it works it works).

Aaron Bartell
litmis.com - Services for open source on IBM i


On Thu, Feb 11, 2016 at 9:47 AM, DrFranken <midrange@xxxxxxxxxxxx> wrote:

So what we do is monitor the Audit Journal, feed those entries to a data
queue, process that queue and log the hits. When you hit the max hits for
an IP address (adjustable) we reach out to the firewall (Cisco ASA) and
drop the door on your toes. You are now blocked from all ports forever. We
do have an 'undo' command for when good guys get blocked though.

This does require a specific PTF on IBM i because without it attempts to
connect to SSH that did NOT use a valid IBM i User Profile were not logged
to the audit journal. So admin and root and such never logged unless you
created a user profile by that name. (WHICH I would recommend against doing
frankly.)

- Larry "DrFranken" Bolhuis

www.Frankeni.com
www.iDevCloud.com - Personal Development IBM i timeshare service.
www.iInTheCloud.com - Commercial IBM i Cloud Hosting.


On 2/11/2016 10:28 AM, Aaron Bartell wrote:

I have a machine that consistently has high CPU for SSH jobs(n3) so I set
up logging(n1) to find the culprit. Turns out China is working overtime
to
get into this machine. SSH is configured to require keys and disallow
passwords (and other sshd_config settings) so I am not too concerned about
a breach(n2), but the CPU consumption is annoying.

I have a vCloud network appliance sitting in front of the IBM i and
configured a DENY rule for the specific China IP address, but at the end
of
the day I still need to allow SSH from a variety of IP addresses.

Are there ways, on IBM i, to automatically blacklist IP addresses that
attempt to log in with "root"?

What do others employ to stop this in a more automatic fashion?


n1 - http://bit.ly/N1014301
n2 - with the exception of the most recent vulnerabilities

n3...
Work with Active Jobs
02/11/16
CPU %: 16.6 Elapsed time: 00:00:00 Active jobs: 205
Current
Opt Subsystem/Job User Type CPU % Function Status
QP0ZSPWP QSECOFR BCI 13.8 PGM-sshd RUN


Aaron Bartell
litmis.com - Services for open source on IBM i

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.