Reza,
Take a look at this page it will show a few different ways to bring it
under control.
http://la-samhna.de/library/brutessh.html
The best way is to use RSA keys, just means u need to carry a USB key
with you if you want to log on from somewhere else. If not this use the
tcp_wrapper method, is pretty easy to implement.
Mike
John Van Ostrand wrote:
On Tue, 2006-03-28 at 15:51 -0500, Reza - Asterisk Enthusiast wrote:
Ok... some people have absolutely no respect for other people's hard
work - not knowing that they are hurting a small time business owner
versus corporations. Having said that, even attacking large
corporations with DDoS is equally sick because in many cases
shareholders themselves are hardworking people - who invested their
life savings.
I don't see a difference between a criminal trying to break open the
locked door of a family owned convenience store vs. trying to break
into a individually owned server.
So... why do I post this message here? Last evening I received
EXACTLY 63510 attempts to login into my Asterisk server at my colo.
My server is taking a GOOD BEATING - and the only thing that is
happening is my logs are getting populated at a rate of 10 megs per
day and bandwidth increasing.
I know a number of software based firewalls for Linux, but is there
any software application out there, that utilizes relatively low CPU
resources, to prevent or slow down DDoS - that any of you have
ACTUALLY implemented? I have a Fortigate firewall solution on
another server, but those toys are expensive. I'm not ready to pitch
in another large sum of money for this... but at the end if I have
to... I have to.
The quick fix is to allow SSH ONLY from my range of IP's - but that
is only a Band-Aid solution. What is disturbing though is that
these "people with no respect", are targeting my Asterisk Server.
This is why it's bugging me!
Your thoughts and inputs on what measures you take to protect your
servers from DDoS is greatly appreciated... specially those of you
who are running Asterisk for business purposes!
The system that the attack is coming from is likely a compromised
system and the owner/administrator is probably unaware that it is
happening, so I don't recommend that you take strong action against
the person.
Iptables is the elegant, but complex way of limiting connections.
Newer versions of the kernel have an ipt_recent module that allows you
to detect and temporarily (or permanently) shutdown offending IP
addresses based on how many times in a given duration that a
connection has been made. This is one way to solve the problem and I
recommend it if you are interested in learning firewalling.
However, it can be somewhat complex and if you want to avoid the
complexity you could simple move your SSH port. Edit your
/etc/ssh/sshd_config file and change "Port 22" to something like "Port
62200" or your street address, whatever, just stay away from ports
listed in /etc/services. Then to SSH in use the -p option of ssh (or
putty if you're stuck with Windows) to connect using the alternate
port number.
I don't recommend blocking their address manually. Although it will
stop the attack initially, you will eventually be attacked from
another IP address. It's not uncommon to be hit from more than one Ip
simultaneously.
--
*John Van Ostrand* *Net Direct Inc.*
/Director of Technology/ 564 Weber St. N. Unit 12
Waterloo, ON N2L 5C6 map
<http://maps.google.ca/maps?q=Net+Direct+Inc.,+564+Weber+St.+N.+Unit+12,+Waterloo,+ON+N2L+5C6,+canada&ll=43.494599,-80.548222&spn=0.038450,0.073956&iwloc=A&hl=en>
[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> Ph: 519-883-1172
ext.5102
Linux Solutions / IBM Hardware <http://www.netdirect.ca> Fx:
519-883-8533
--
Mike Ashton
Quality Track Intl
Ph: 647-722-2092 x 251
Cell: 416-527-4995
Fax: 416-352-6043
QTI CONFIDENTIAL AND PROPRIETARY INFORMATION
The contents of this material are confidential and proprietary to Quality Track
International, Inc.
and may not be reproduced, disclosed, distributed or used without the express
permission of an authorized representative of QTI.
Use for any purpose or in any manner other than that expressly authorized is
prohibited.
If you have received this communication in error, please immediately delete it
and all copies, and promptly notify the sender.
begin:vcard
fn:Mike Ashton
n:Ashton;Mike
org:Quality Track Intl
adr:;;63 Kenpark Ave;Brmpton;ON;L6Z 3L4;Canada
email;internet:[EMAIL PROTECTED]
title:CTO
tel;work:905-840-4995
tel;cell:416-527-4995
x-mozilla-html:FALSE
url:http://www.QualityTrack.com
version:2.1
end:vcard
