crazy hackers and logwatch
Brian Gaynor
briang at pmccorp.com
Tue Aug 9 16:00:23 UTC 2005
On Tue, 2005-08-09 at 09:39 -0600, Kevin Fenzi wrote:
> A better rule (IMHO), I use:
>
> $IPTABLES -A INPUT -m hashlimit -m tcp -p tcp --dport 22 --hashlimit 1/min --hashlimit-mode srcip --hashlimit-name ssh -m state --state NEW -j ACCEPT
>
> This has the advantage of only blocking the offending IP if they go
> over 1/min, but letting all other ip's still have access until they go
> over the limit.
I've used similar rules for some time now and they've proven very
effective. The only problem I've run into is with subversion over SSH,
it generates a lot of short connections sometimes (for example when
browsing a repository) and can look like an attack to this kind of
block. For that reason I am interested in testing DENYHOSTS.
--
Brian Gaynor
www.pmccorp.com
FC4/Linux on DELL Inspiron 5160 3.0Ghz
canis 08:55:20 up 26 min, 1
user, load average: 0.27, 0.22,
More information about the fedora-test-list
mailing list