how to react on ssh attacks? [solved]
Brian Gaynor
briang at pmccorp.com
Tue Oct 25 23:01:06 UTC 2005
On Tue, 2005-10-25 at 14:08 -0400, Neal Becker wrote:
> Eventually hosts.deny is getting too big. If this is really fedora's
> answer, then I think we'll need a version of tcpwrappers that has some kind
> of database, rather than a flat file.
I agree, although by layering iptables blocking with denyhosts I am able
to greatly reduce the number of hosts.deny entries. Like many people on
this list, I have a set of rules in iptables that look for too many ssh
logins in too short a time period. If the threshold is exceeded
connections from the offending IP are dropped for a time. Most script
kiddies hit the block and just go away. Some script kiddies, however,
come back later. For them I have denyhosts running at a threshold one
above the iptables script. I typically see denyhosts trigger only once
or twice a day for these more serious threats.
--
Brian Gaynor
www.pmccorp.com
FC4/Linux on DELL Inspiron 5160 3.0Ghz
canis 15:52:13 up 7:22, 1 user,
load average: 0.14, 0.22, 0.16
More information about the fedora-list
mailing list