Benji Weber wrote:
On 16/07/07, Richard Creighton <ricreig@gmail.com> wrote:
My question is what, if any firewall rule could I write that could detect such attacks and automatically shut down forwarding packets from the offending node or domain? That would give me an additional layer of defense as well as freeing up a significant amount of log file space.
set the following line
FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=3,blockseconds=120,recentname=ssh"
in /etc/sysconfig/SuSEfirewall2 This will limit to a maximum of 3 attempts per 120s.
Even more effective can be running sshd on an unusual port, or installing something like "fail2ban"
Using keys instead of passwords is better. Also, if ssh is not used off site, simply block it at the firewall. -- Use OpenOffice.org <http://www.openoffice.org> -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org