Hi Mick, Mick wrote on 01/04/07 20:44: >> Recently I was looking through my logs when I got pissed off (again) by >> the big number of lines showing something like 'sshd: auth. error: >> unknown user "XXX" from "some IP address"'. I wrote a script which >> automatically sets all connections from those IP addresses to be >> dropped. Next I decided to change "-j DROP" with "-j TARPIT" and I >> realized that gentoo-sources doesn't provide the netfilter target "TARPIT".
> Given that others have already replied how patch the kernel, here's a > somewhat > indirect answer which may resolve the route cause: Are you using passwd > authentication? I wonder if the logs would still be filling up by such > botnets if you had allowed only 'PubkeyAuthentication yes'. The other thing > to consider is changing the default ssh port 22 to some other random port > which is not hit as frequently by botnets, only by more comprehensive port > scans. Then remove your iptables LOG rule for port 22 (if you have one) and > you should get rid of almost all related messages. Daniel complained about the sshd messages, not iptables messages. I fully agree that he should implement pub/priv key authentication, but even so, that will not prevent the flood of ssh messages in syslog. Adding an unlogged iptables DROP target rule for port 22 will suppress the messages, but not the attacks. The botnet / script kiddie morons are a pain in the (anatomy of choice). Cheers, Dave -- gentoo-user@gentoo.org mailing list
