If you need to protect your ssh from scanners, wouldn't it prolly just be best to block people that are actually scanning you? I use the denyhosts script (watches logs for failed login attempts, and blocks ips based on that), and there are a couple other good ones. The two main problems with your solution is..
1. how can you trust some magical offsite list so much that you are willing to block traffic based on what it says? 2. how can you believe that such a list would ever be complete, or even through? New machines get taken over all the time, and my guess is that the average lifespan of such machines is about a week or so before an admin sees what's going on. - DEAN James Lay wrote: > So ok.....I'm completely positive I didn't make myself clear at all in > my previous message...go me! Here's a web site that I did manage to > find that has a current list of open proxies: > > http://www.samair.ru/proxy/index.htm > > My hope is that I could find a site that has a list of currently > reported open proxies, scanners, and ssh brute force boxes. The RBL's > pretty much have smtp covered. I would run a cron job at midnight, wget > and grep the file, then create an iptables table to block those hosts. > This is an attempt to be more proactive then reactive...if I knew those > hosts that were actively doing naughty things, why not block them at > the get go? > > Does this make sense? Am I barking up the wrong tree? Thanks all =) > > James > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
