Re: [K12OSN] OT: Break-In report

["Terrell Prudé Jr." <microman cmosnetworks com>]

Seconded regarding denyhosts; it is very nice.  In addition, I also allow SSH connections only from certain subnets--yes, even on the trusted network.  Kids are quite inventive, you know.  Just throw up a couple of iptables lines like this:

# Permit only 192.168.1.0/24 to SSH to us
iptables -A INPUT -i eth0 -p tcp --source 192.168.1.0/24 --destination-port 22 -j ACCEPT
# Deny everything else on TCP 22
iptables -A INPUT -i eth0 -p tcp --destination-port 22 -j DROP

And you can add any other self-protection rules that you like.

--TP

_______________________________
Do you GNU?
Microsoft Free since 2003--the ultimate antivirus protection!

Michael Blinn wrote:

 Not true. I use and recommend the package 'denyhosts' - Nice little python script that daemonizes to periodically check /var/log/secure, adding IPs from brute-force attackers to /etc/hosts.deny, then emails me its actions. You can also set an auto-expire time for those blocks. I love it.
-Michael

Les Mikesell wrote:

There is quite a lot of ssh password guessing going on over the internet.  If you have systems with the ssh port exposed, you can expect to see a few hundred attempts a day in the logs - a slow enough rate that you might not notice but the attackers are probably spreading their attempts over thousands of systems.  There are some packages that watch the logs and firewall addresses with repeated failed attempts but none are included in the distribution.