There's another linux program out there called BFD that does the same thing: parses logs and creates IPTABLES rules, but it doesn't use python. Google it and see if it will work for your application.
Also, this might go without saying, but I'd recommend against applying any router-based rules to customer subnets. That approach is ripe for unintended consequences, and can create a troubleshooting nightmare for your customers. -- Patrick Shoemaker President, Vector Data Systems LLC shoemak...@vectordatasystems.com office: (301) 358-1690 x36 http://www.vectordatasystems.com Tom Sharples wrote: > I'm writing a reactive bash script this weekend to take care of the problem. > Can't load python on these embedded servers, or I'd just use the denyhosts > script Josh and George suggested. > The idea of generating a common database of offending IPs to propagate to > all our servers is a good one too, that will be in Version 2 :-) > > Thanks, > > Tom S. > > ----- Original Message ----- > From: "Butch Evans" <but...@butchevans.com> > To: "Tom Sharples" <tsharp...@qorvus.com>; "WISPA General List" > <wireless@wispa.org> > Sent: Saturday, May 02, 2009 12:18 PM > Subject: Re: [WISPA] Crude dictionary attack via ssh > > > >> On Fri, 2009-05-01 at 18:36 -0700, Tom Sharples wrote: >> >>> This works too :-) >>> >>> iptables -A INPUT -s 213.165.154.53/24 -j DROP >>> >> It does for sure. The only problem is that this one host is not the >> only one to be concerned about. If you have a router at the border of >> the network that has the capability of watching the network for this >> type of behaviour and responding to it, then I'd suggest adding that >> function there. >> >> The denyhosts script that Josh suggested works, but it is a reactive >> script. In other words, it watches the log file and does what you >> suggest automatically. At least that's what I saw the first time I >> looked at it. >> >> A better approach is the one that Eje suggested. His suggestion uses a >> router (probably Mikrotik in his case) that watches for this behaviour >> and drops all traffic from this host automatically. You can do this >> with Mikrotik, ImageStream or any other OS that includes iptables and >> the "recent module". It's not even that hard to do. >> >> -- >> ******************************************************************** >> * Butch Evans * Professional Network Consultation* >> * http://www.butchevans.com/ * Network Engineering * >> * http://www.wispa.org/ * WISPA Board Member * >> * http://blog.butchevans.com/ * Wired or Wireless Networks * >> ******************************************************************** >> >> >> > > > > -------------------------------------------------------------------------------- > WISPA Wants You! Join today! > http://signup.wispa.org/ > -------------------------------------------------------------------------------- > > WISPA Wireless List: wireless@wispa.org > > Subscribe/Unsubscribe: > http://lists.wispa.org/mailman/listinfo/wireless > > Archives: http://lists.wispa.org/pipermail/wireless/ > -------------------------------------------------------------------------------- WISPA Wants You! Join today! http://signup.wispa.org/ -------------------------------------------------------------------------------- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
