crazy hackers and logwatch
Ted Kaczmarek
tedkaz at optonline.net
Wed Aug 10 00:40:06 UTC 2005
On Tue, 2005-08-09 at 13:32 -0500, Justin Conover wrote:
> On 8/9/05, Justin Conover <justin.conover at gmail.com> wrote:
> > On 8/9/05, Brian Gaynor <briang at pmccorp.com> wrote:
> > > On Tue, 2005-08-09 at 09:39 -0600, Kevin Fenzi wrote:
> > > > A better rule (IMHO), I use:
> > > >
> > > > $IPTABLES -A INPUT -m hashlimit -m tcp -p tcp --dport 22 --hashlimit 1/min --hashlimit-mode srcip --hashlimit-name ssh -m state --state NEW -j ACCEPT
> > > >
> > > > This has the advantage of only blocking the offending IP if they go
> > > > over 1/min, but letting all other ip's still have access until they go
> > > > over the limit.
> > >
> > > I've used similar rules for some time now and they've proven very
> > > effective. The only problem I've run into is with subversion over SSH,
> > > it generates a lot of short connections sometimes (for example when
> > > browsing a repository) and can look like an attack to this kind of
> > > block. For that reason I am interested in testing DENYHOSTS.
> > >
> > > --
> > > Brian Gaynor
> > > www.pmccorp.com
> > > FC4/Linux on DELL Inspiron 5160 3.0Ghz
> > > canis 08:55:20 up 26 min, 1
> > > user, load average: 0.27, 0.22,
> > >
> > >
> > > --
> > > fedora-test-list mailing list
> > > fedora-test-list at redhat.com
> > > To unsubscribe:
> > > http://www.redhat.com/mailman/listinfo/fedora-test-list
> > >
> >
> >
> > Bastards really want in.
> >
> >
> > sshd:
> > Authentication Failures:
> > root (61.185.220.46): 528 Time(s)
> > unknown (61.185.220.46): 221 Time(s)
> > mail (61.185.220.46): 2 Time(s)
> > mysql (61.185.220.46): 2 Time(s)
> > news (61.185.220.46): 2 Time(s)
> > adm (61.185.220.46): 1 Time(s)
> > apache (61.185.220.46): 1 Time(s)
> > bin (61.185.220.46): 1 Time(s)
> > ftp (61.185.220.46): 1 Time(s)
> > games (61.185.220.46): 1 Time(s)
> > ldap (61.185.220.46): 1 Time(s)
> > lp (61.185.220.46): 1 Time(s)
> > nobody (61.185.220.46): 1 Time(s)
> > operator (61.185.220.46): 1 Time(s)
> > root (201.145.24.178): 1 Time(s)
> > rpm (61.185.220.46): 1 Time(s)
> > squid (61.185.220.46): 1 Time(s)
> > sshd (61.185.220.46): 1 Time(s)
> > Invalid Users:
> > Unknown Account: 221 Time(s)
> > Bad User: root: 1 Time(s)
> > Sessions Opened:
> > justin: 1 Time(s)
> >
> ssh bob@<myIP>
> Stay the **** off my box! Loosers, you can't get in. Your a bunch of
> script-kiddes that suckled on your momma to long. If you think your
> talented, than use it to do real hacking, like on Open Source Linux.
> Otherwise, take your noobie cracking ass back to school!
>
What is really going to be funny, is when someone ends up with a few
hundred thousands lines of firewall config and restart's their firewall
or reloads their box. I don't see where most people would benefit from a
slew of 32 bit length firewall rules. Now if it where smart enough to
block the entire ip block, preferably top registration that would be
much more useful.
Be careful what you wish for, you might just get it.
Ted
More information about the fedora-test-list
mailing list