Richard Creighton wrote:
Just about every day, often several times a day, my logs include hours of log entries that look like this:
Jul 16 00:35:25 raid5 sshd[6966]: Invalid user admin from 83.18.244.42 Jul 16 00:35:30 raid5 sshd[6968]: Invalid user admin from 83.18.244.42 Jul 16 00:35:35 raid5 sshd[6972]: Invalid user admin from 83.18.244.42 Jul 16 00:35:40 raid5 sshd[6974]: Invalid user admin from 83.18.244.42 Jul 16 00:35:56 raid5 sshd[6981]: Invalid user test from 83.18.244.42 Jul 16 00:36:01 raid5 sshd[6983]: Invalid user test from 83.18.244.42 Jul 16 00:36:06 raid5 sshd[6985]: Invalid user webmaster from 83.18.244.42 Jul 16 00:36:11 raid5 sshd[6987]: Invalid user username from 83.18.244.42 Jul 16 00:36:16 raid5 sshd[6989]: Invalid user user from 83.18.244.42 Jul 16 00:36:26 raid5 sshd[6994]: Invalid user admin from 83.18.244.42 Jul 16 00:36:31 raid5 sshd[6996]: Invalid user test from 83.18.244.42 Jul 16 00:36:51 raid5 sshd[7017]: Invalid user danny from 83.18.244.42 Jul 16 00:36:56 raid5 sshd[7019]: Invalid user alex from 83.18.244.42 Jul 16 00:37:01 raid5 sshd[7022]: Invalid user brett from 83.18.244.42 Jul 16 00:37:06 raid5 sshd[7024]: Invalid user mike from 83.18.244.42 Jul 16 00:37:12 raid5 sshd[7027]: Invalid user alan from 83.18.244.42 Jul 16 00:37:18 raid5 sshd[7029]: Invalid user data from 83.18.244.42 Jul 16 00:37:22 raid5 sshd[7031]: Invalid user www-data from 83.18.244.42 Jul 16 00:37:28 raid5 sshd[7033]: Invalid user http from 83.18.244.42 Jul 16 00:37:33 raid5 sshd[7037]: Invalid user httpd from 83.18.244.42 Jul 16 00:37:38 raid5 sshd[7040]: Invalid user pop from 83.18.244.42
..... and so on, ad nausium. Obviously, someone is trying to break in to my system via SSH. So far as I can tell from examining my logs and my systems (usually at least 4 other systems on my LAN are under simultaneous attacks from the same source(s), the daemon is successsfully withstanding the assault and the system is not compromised.
My question is what, if any firewall rule could I write that could detect such attacks and automatically shut down forwarding packets from the offending node or domain? That would give me an additional layer of defense as well as freeing up a significant amount of log file space.
It is possible to filter on IP address in your firewall. You can also deny addresses in various config files, such as hosts.deny etc. -- Use OpenOffice.org <http://www.openoffice.org> -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org