On Mon, 12 Dec 2005, Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
The Sunday 2005-12-11 at 15:46 -0800, Scott Leighton wrote:
Yes, the script kiddies are a nuisance. I use login_sentry to send them on their way (it adds their IP address to hosts.deny).
That list could grow very large. Also, if those attacks come from dynamic ips, you could have a deny line for an IP that has changed owner, and now is an honest person, while the attacker is using a new one you do not have listed yet.
I think I read in passing somewhere about an iptables rule to deny temporarily access to a certain IP; the rule is temporary and disappears after some time, freeing resources.
But I don't know what is it.
I assume you're looking for the "recent" module for iptables. # Blocking ssh attacks /usr/sbin/iptables -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set /usr/sbin/iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 60 --hitcount 6 -j LOG --log-prefix 'SSH attack: ' /usr/sbin/iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 60 --hitcount 6 -j REJECT This will block all further syns from an IP address starting on the sixth port 22 connection within 60 seconds. It takes 60 seconds of absolute quiet from that same ip address (or a reboot) to make the block go away. Kills a LOT of brute force ssh attacks. I've also used this both against web statistics spammers and email DOSers with good results. Bjørn -- Bjørn Tore Sund Phone: (+47) 555-84894 Stupidity is like a System administrator Fax: (+47) 555-89672 fractal; universal and Math. Department Mobile: (+47) 918 68075 infinitely repetitive. University of Bergen VIP: 81724 Support: http://bs.uib.no Contact: teknisk@mi.uib.no Direct: bjornts@mi.uib.no