Mon, 16 Jul 2007, by ricreig@gmail.com:
Just about every day, often several times a day, my logs include hours of log entries that look like this:
Jul 16 00:35:25 raid5 sshd[6966]: Invalid user admin from 83.18.244.42 Jul 16 00:35:30 raid5 sshd[6968]: Invalid user admin from 83.18.244.42 Jul 16 00:35:35 raid5 sshd[6972]: Invalid user admin from 83.18.244.42 [..] My question is what, if any firewall rule could I write that could detect such attacks and automatically shut down forwarding packets from the offending node or domain? That would give me an additional layer of defense as well as freeing up a significant amount of log file space.
Do you really need to have ssh open for the complete Internet? Maybe you can limit the amount of ranges that are allowed to connect to begin with? Also: using another port does help. Maybe not forever, but certainly for the bulk of the brainless scripts out there. For my self; I only need ssh access for me, so I have it listening only on IPv6, and another port of course, and firewalled all but a few hosts. Theo -- Theo v. Werkhoven Registered Linux user# 99872 http://counter.li.org ICBM 52 13 26N , 4 29 47E. + ICQ: 277217131 SUSE 10.2 + Jabber: muadib@jabber.xs4all.nl Kernel 2.6.20 + See headers for PGP/GPG info. Claimer: any email I receive will become my property. Disclaimers do not apply. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org