On Wed, Jul 27, 2005 at 08:29:16AM -1000, R. Scott Belford wrote: > How are others handling this? Do you block the IP address? If > so, does it help, or are you still found by yet another zombie? > Any suggestions or insight are welcome.
The reactive projects popping up in response to this are great technical exercises but are simply bandaids because you lock down access _after_ you detect a problem. If you just want to stop the zombies and not targetted attacks, simply move your ssh port. This is probably the easiest approach. To really be safe, move to a default deny stance and only allow [semi-]trusted networks to ssh into your server. -Vince