hi, On Mon, 2008-11-24 at 18:53 -0600, David C. Rankin wrote:
Brian K. White wrote:
Except as someone else pointed out, it doesn't piss the bad guys off, rather the opposite, it just confirms that there is really a nice machine/target/victim there. Where simply dropping or refusing the connection tells them a lot less.
Brian:
I agree and I ultimately just went with the disconnect.
ssh : mynormal.offsite.IP : ALLOW ssh : LOCAL : ALLOW ssh : ALL : DENY
I sure do wish I could send something back though. Just for a few hours I would love to give them ssh : ALL : twist cat /usr/bin mplayer
Well, you can return any unsuccesfull ssh-attempt with a flood of jumbo icmp's. Doesn't solve anything. Just a feeling of revenge. It will cost you bandwith otoh....
But alas, it doesn't look like you can send anything back of ssh attempts.
Additionally, since it was over the weekend and I was the only one that would need ssh, I just turned the port off at the router. After being closed for 24 hours, the frequency of the attempts dropped a fair amount. Though it could have just been the Sunday factor instead of the Friday factor.
I haven't taken any stats, but it seems that Thursday-Saturday is the most active time for attacks (generally). With the immensity of the problem, I wish there was something that could be done to curtail all the malicious attempts. (I guess we could outlaw windows) But seriously, something will need to be done in a globally coordinated way in the future.
From what i remember, it was just two slightly modified copies of your firewall-ruleset, two "at" commando's and a dozen perl-lines for
Hi, Except for running ssh at another port (allready mentioned) you could do a "reversed port knocking" at your own door: (It's not mine idea, but a friend reminded me of it.) There are many versions of it but this schema i like most: 1) normally, all traffic on port 22 is plainly dropped 2) if you perform a ping on some high unpriv port, rule-set is reloaded and port 22 got opened. 3) After a succesful ssh-login, chang the ruleset that on port 22 only established tcp-connections are allowed, no new connecions. 4) after a predefined time (just short, to allow you to login) you go back to stage 1 listening on a dedicated ip-port. hw -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org