I highly recommend http://www.dshield.org. A large community submits their logs to dshield on a regular basis (most do it hourly). dshield then makes aggregate information available, including worst offenders, etc. You can also query for the number of reported attacks originating from a given IP address.
http://www.threatstop.com/ is a commercial service that aggregates threat info from dshield and other services to produce a list of IP subnets to block. I used them during their beta period, but when they launched, the pricing was a bit high for a 'home' user. Also useful: the geoip netfilter module in xtables-addons (http://xtables-addons.sourceforge.net/) for linux distributions. This allows you to write firewall rules that depend on the country of the originating IP address. Great way to cut out a lot of SSH attempts from countries you don't reside in (like a lot of cruft I get from China, Russia and the Netherlands). fail2ban is a good tool for monitoring logged security violations and banning IPs based on repeat offenders. If I remember correctly it's a little more broad in the logs it reacts to than sshdfilter is (mentioned in another post). Either one is much better than nothing :) Using geoip in your netfilter rules will drastically reduce the number of attacks, so they make a good combo. A more advanced technique is to set up a 'firewall' virtual machine on your machine that handles your public IP address(es). Use a stripped down 'firewall' distribution with only the binaries it needs to be a firewall (no dev tools, perl, python, etc.). Run a few proxies for the few services that mush be exposed (e.g. SMTP), and filter those heavily too (e.g. by using geoip mentioned above). Even if that virtual machine is compromised, there's no interesting info available and little to damage (plus it's easy to restore from a backup image kept on the host). I've just started setting up something like this using KVM (kernel virtual machine), running an instance of OpenWRT. Paul Zeeshan Zakaria wrote: > Hi, > > In last one week I have seen two servers of our organization > successfully hacked and some other under attack from some other IP > addresses. We would block one IP address on our firewall and after a > few hours, they would start getting hits from some another IP address. > When I checked them on whois.net <http://whois.net>, they all were > from Amsterdam. Surprisingly, I once had similar attack in the past > and it was also from an Amsterdam IP address. And they all blong to > one same organization. > > Seems like somebody in Amsterdam is really active in trying to hack > asterisk servers around the world. > > I was wondering if somebody maintains a list of these IP addresses > which everybody can block in their firewalls. And is there a place I > can publish these IP addresses? > > Thanks > > -- > Zeeshan A Zakaria > ------------------------------------------------------------------------ > > _______________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users _______________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users