On Saturday 03 October 2009 13:21:32 Per Jessen wrote:
Has anyone else noticed the wave of coordinated, distributed ssh attacks? Since Sep30 around 2100CET, I see a login attempt about once a minute, but coming from different IP-addresses. Looks like a coordinated attempt to circumvent the firewalls that block based on too many unsuccessful attempts.
If it would come from the same IP address, the following SUSE Firewall option (set via /etc/sysconfig/SuSEfirewall2 would have helped: FW_SERVICES_REJECT_INT="" # Example: # Allow max three ssh connects per minute from the same IP address: # "0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh" Still I suggest to enable it. Is there a similar rule for different IP-addresses? Andreas -- Andreas Jaeger, Program Manager openSUSE, aj@{novell.com,opensuse.org} Twitter: jaegerandi | Identica: jaegerandi SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg) Maxfeldstr. 5, 90409 Nürnberg, Germany GPG fingerprint = 93A3 365E CE47 B889 DF7F FED1 389A 563C C272 A126