Blocking port automatically
Wolfgang S. Rupprecht
wolfgang.rupprecht+gnus200702 at gmail.com
Mon Feb 19 20:43:48 UTC 2007
Gene Heskett <gene.heskett at verizon.net> writes:
> Its very hard to further your attack on a machine when your address is one
> that's never going to be responded to by the machine so protected. You
> cannot prove the machine even exists, no ping response, nothing comes
> back once portsentry has been tripped. And you can make it very paranoid
> indeed.
What does the iptables file for portsentry look like?
I've been experimenting with adding some fairly aggressive (read:
dangerous) rules to iptables in an attempt to reclaim lots the
bandwidth and cpu time the script kiddies are robbing me of.
Basically I use the module "recent" to set a 1-week timer on their IP
for any scanning or excessive connection attempts. Then near the top
of the iptables I drop all future packets from them till the timer
runs out. This effectively gives them the cold shoulder treatment and
they tend to go away after a minute or two.
What is amusing, during testing I had the IP timeout set for 10
minutes. It was this way for 6 weeks as I was making sure the system
was working as intended. Well I guess that was long enough for
evolution to take place. One kiddie noticed the 10-minute timeout and
came back every 12 minutes to beat on the ssh server a bit more.
Silly kiddie, if he'd read my web page he'd have noticed that that
server doesn't allow passworded logins anyway, just RSA.
-wolfgang
--
Wolfgang S. Rupprecht http://www.wsrcc.com/wolfgang/
More information about the fedora-list
mailing list