My Denyhosts daemon is configured pretty much like that, but it uses TCP Wrapper (hosts.deny) instead of the firewall and it uploads the attacking IPs to a central server every hour for other Denyhosts users.
Gary Baribault Courriel: g...@baribault.net GPG Key: 0x685430d1 Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1 On 06/17/2010 08:32 AM, Gregory Bellier wrote: > Hi ! > > Most of the time (to not say everytime), it's a bot and not a human > behind those attacks. > I configured my firewall to ban for a minute every IPs trying to log > in with 5 wrong attempts. > Once it's banned, the bot tries one or two more times and then give up. > > It's pretty much effective. > > > > 2010/6/17 Gary Baribault <g...@baribault.net > <mailto:g...@baribault.net>> > > Hello list, > > I have a strange situation and would like information from the > list members. I have three Linux boxes exposed to the Internet. > Two of > them are on cable modems, and both have two services that are > publicly > available. In both cases, I have SSH and named running and available > to the public. Before you folks say it, yes I run SSH on TCP/22 > and no > I don't want to move it to another port, and no I don't want to > restrict it to certain source IPs. > > Both of these systems are within one /21 and get attacked > regularly. I run Denyhosts on them, and update the central > server once > an hour with attacking IPs, and obviously also download the public > hosts.deny list. > > These machines get hit regularly, so often that I don't really > care, it's fun to make the script kiddies waste their time! But in > this instance, only my home box is being attacked... someone is > burning a lot of cycles and hosts to do a distributed dictionary > attack on my one box! The named daemon is non recursive, properly > configured, up to date and not being attacked. > > Is anyone else seeing this type of attack? Or is someone really > targeting MY box? > > Thanks > > > Gary Baribault > Courriel: g...@baribault.net <mailto:g...@baribault.net> > GPG Key: 0x685430d1 > Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1 > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
