hi
I handle this through iptables, there is a patch avaliable by stephen frost
, I think now its in mainstream kernel .
iptables -t filter -t ${EXTIFACE}-A INPUT -p tcp --dport 22 -m recent -m
state --state NEW --name LIMIT22 --set
iptables -t filter -t ${EXTIFACE}-A INPUT -p tcp --dport 22 -m recent -m
state --state NEW --name LIMIT22 --update --seconds 60 --hitcount ${HITS} -j
DROP
The Above Rules will allow Number of HITS connections in 1 Minute .
you can set HITS to 3-4 .
thanks n regards
Yunus
> Hello guys,
>
>
> Recently, (a month or two back) I have been seeing a bit of portscans
> and dictionary based attacks on my server. Luckily i have only SSH in
> there, but i find that as days pass by, the scans are becoming more and
> more intensive.
>
> Somebody can comment on the logs that i have ? Something i can do to
> avoid these ? I know that moving the SSH port to an obscure will help,
> but it would be only as long as finding the active port.
>
> In such a case what i can do against the attacker ?
>
>
> Thanks,
> Manu
>
>
> Feb 20 17:03:44 bh sshd[28569]: Invalid user ixess from
> ::ffff:202.26.148.130
> Feb 20 17:03:47 bh sshd[28571]: Invalid user gnats from
> ::ffff:202.26.148.130
> Feb 20 17:03:50 bh sshd[28573]: Invalid user gnats from
> ::ffff:202.26.148.130
> Feb 20 17:03:54 bh sshd[28575]: Invalid user gnats from
> ::ffff:202.26.148.130
> Feb 20 17:03:57 bh sshd[28577]: Invalid user gnats from
> ::ffff:202.26.148.130
> Feb 20 17:04:00 bh sshd[28579]: Invalid user mdom from
> ::ffff:202.26.148.130
> Feb 20 17:04:04 bh sshd[28581]: Invalid user mdom from
> ::ffff:202.26.148.130
> Feb 20 17:04:07 bh sshd[28583]: Invalid user mdom from
> ::ffff:202.26.148.130
> Feb 20 17:04:10 bh sshd[28585]: Invalid user mdom from
> ::ffff:202.26.148.130
> Feb 20 17:04:14 bh sshd[28587]: Invalid user lnx from
> ::ffff:202.26.148.130
> Feb 20 17:04:17 bh sshd[28589]: Invalid user lnx from
> ::ffff:202.26.148.130
> Feb 20 17:04:20 bh sshd[28591]: Invalid user lnx from
> ::ffff:202.26.148.130
> Feb 20 17:04:23 bh sshd[28593]: Invalid user lnx from
> ::ffff:202.26.148.130
> Feb 20 17:04:27 bh sshd[28595]: Invalid user exam from
> ::ffff:202.26.148.130
>
> <snip>
>
> Feb 20 18:39:18 bh sshd[28744]: Invalid user theo from
> ::ffff:218.189.146.172
> Feb 20 18:39:18 bh sshd[28744]: reverse mapping checking getaddrinfo for
> bbs-172-146-189-218.on-nets.com failed - POSSIBLE BREAKIN ATTEMPT!
> Feb 20 18:39:20 bh sshd[28746]: Invalid user theo from
> ::ffff:218.189.146.172
> Feb 20 18:39:20 bh sshd[28746]: reverse mapping checking getaddrinfo for
> bbs-172-146-189-218.on-nets.com failed - POSSIBLE BREAKIN ATTEMPT!
> Feb 20 18:39:21 bh sshd[28748]: Invalid user theo from
> ::ffff:218.189.146.172
> Feb 20 18:39:21 bh sshd[28748]: reverse mapping checking getaddrinfo for
> bbs-172-146-189-218.on-nets.com failed - POSSIBLE BREAKIN ATTEMPT!
> Feb 20 18:39:22 bh sshd[28742]: reverse mapping checking getaddrinfo for
> bbs-172-146-189-218.on-nets.com failed - POSSIBLE BREAKIN ATTEMPT!
> Feb 20 18:39:22 bh sshd[28750]: Invalid user philip from
> ::ffff:218.189.146.172
> Feb 20 18:39:22 bh sshd[28750]: reverse mapping checking getaddrinfo for
> bbs-172-146-189-218.on-nets.com failed - POSSIBLE BREAKIN ATTEMPT!
>
> <snip>
>
> Feb 25 15:50:47 bh sshd[19323]: Invalid user sloan from
> ::ffff:69.56.181.138
> Feb 25 15:50:47 bh sshd[19323]: reverse mapping checking getaddrinfo for
> 69-56-181-138.theplanet.com failed - POSSIBLE BREAKIN ATTEMPT!
> Feb 25 15:50:49 bh sshd[19325]: Invalid user sloane from
> ::ffff:69.56.181.138
> Feb 25 15:50:49 bh sshd[19325]: reverse mapping checking getaddrinfo for
> 69-56-181-138.theplanet.com failed - POSSIBLE BREAKIN ATTEMPT!
> Feb 25 15:50:52 bh sshd[19327]: Invalid user snoop from
> ::ffff:69.56.181.138
> Feb 25 15:50:52 bh sshd[19327]: reverse mapping checking getaddrinfo for
> 69-56-181-138.theplanet.com failed - POSSIBLE BREAKIN ATTEMPT!
> Feb 25 15:50:54 bh sshd[19329]: Invalid user snoopy from
> ::ffff:69.56.181.138
> Feb 25 15:50:54 bh sshd[19329]: reverse mapping checking getaddrinfo for
> 69-56-181-138.theplanet.com failed - POSSIBLE BREAKIN ATTEMPT!
> Feb 25 15:50:57 bh sshd[19331]: Invalid user sonia from
> ::ffff:69.56.181.138
> Feb 25 15:50:57 bh sshd[19331]: reverse mapping checking getaddrinfo for
> 69-56-181-138.theplanet.com failed - POSSIBLE BREAKIN ATTEMPT!
> Feb 25 15:50:59 bh sshd[19333]: Invalid user sonny from
> ::ffff:69.56.181.138
> Feb 25 15:50:59 bh sshd[19333]: reverse mapping checking getaddrinfo for
> 69-56-181-138.theplanet.com failed - POSSIBLE BREAKIN ATTEMPT!
> Feb 25 16:06:43 bh sshd[20113]: Invalid user catherine from
> ::ffff:69.56.181.138
> Feb 25 16:06:43 bh sshd[20113]: reverse mapping checking getaddrinfo for
> 69-56-181-138.theplanet.com failed - POSSIBLE BREAKIN ATTEMPT!
>
>
>
>
> Yahoo! Groups Links
>
>
>
>
>
>
--
Telefonieren Sie schon oder sparen Sie noch?
NEU: GMX Phone_Flat http://www.gmx.net/de/go/telefonie
Yahoo! Groups Links
<*> To visit your group on the web, go to:
http://groups.yahoo.com/group/dubailug/
<*> To unsubscribe from this group, send an email to:
[EMAIL PROTECTED]
<*> Your use of Yahoo! Groups is subject to:
http://docs.yahoo.com/info/terms/
