[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Denial of service



Jacques B. wrote:
So I turned off sshd but that didn't stop the problem. I am getting hit
several times a second by someone. I would sure like to at least know
the IP they are from.

        Karl F. Larsen, AKA K5DI

Throw a gateway/router in front of your machine.  It will add a layer
of protection and pretty much kill the noise altogether execpt on
ports that you have services running and have port forwarding enabled
on the router.  Otherwise any attempts to initiate a connection gets
dropped at the router.

If you do have a router and did not disable port forwarding after
shutting down sshd, and left port 22 open on your box then you will
still get noise I expect, just no daemon listening on that port.

And as Jonathan asked, how do you know this?  If it's via your
/var/log/secure then you have their IPs in the log.  If it's against a
web server then you will have their IPs in those logs.  Where are you
seeing all these hits on your system?

Jacques B.


Also take a look at OSSEC, it will email you the portion of the logs about the sshd attacks and has an active-response module that will add the IP to hosts.deny or setup iptables rules to block that IP for a set duration. I use it on several servers and it works really well.



--
Recedite, plebes! Gero rem imperialem!


Mark Haney
Sr. Systems Administrator
ERC Broadband
(828) 350-2415

Call (866) ERC-7110 for after hours support


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]