[rhn-users] Automatically blocking IP addresses

Simon Ball sball at cromwells.co.uk
Sat Jun 3 14:20:39 UTC 2006 

Check out DenyHosts if you want automatic intrusion detection / lock out: 

http://denyhosts.sourceforge.net/index.html

You can deny access in /etc/ssh/sshd_config based on IP, or in /etc/hosts.deny and /etc/hosts.allow. Read up on tcpwrappers for more details. 

Simon

----- Original Message -----
From: Bernt Habermeier <bernt at wulfram.com>
To: rhn-users at redhat.com
Sent: Saturday, June 3, 2006 2:16:33 PM GMT+0000
Subject: [rhn-users] Automatically blocking IP addresses

I recently put up a new server, and I'm seeing several machines trying to
break in.  Example:

Jun  1 02:41:31 localhost sshd(pam_unix)[3447]: authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=219.137.197.100  user=root
Every 5 seconds, for hundreds of attempts.  But that's not the only IP
address doing that.
...

Is there an easy way to set up linux to detect this sort of thing and
auto-deny all connections from servers like that?  I guess the
alternative would be for me to restrict ssh access to a few IP addresses,
but that would kind of become a problem for when I'm on the road and need
to log in.  I wish I could restrice ssh access to certain hardware (maybe
using the MAC address, but I know that information is not transmitted via
TCP/IP, so I guess there is no chance of that).


-- 
Simon Elliston Ball
Infrastructure Manager
Cromwell Business Systems


This email is sent on behalf of Cromwell Business Systems Ltd. and is strictly confidential and intended solely for the addressee(s).  It may contain personal and confidential information and as such may be protected by the Data Protection Act 1998.

If you are not the intended recipient of this email you must: (i) not disclose, copy or distribute its contents to any other person nor use its contents in any way or you may be acting unlawfully;  (ii) contact Cromwell Business Systems immediately on +44 (0)1353 650900 quoting the name of the sender and the addressee then delete it from your system.

Any views or opinions expressed within this email are those of the author, and do not necessarily represent those of Cromwell Business Systems.

Cromwell Business Systems have scanned this email for viruses but does not accept any responsibility once this email has been transmitted.  You should scan attachments (if any) for viruses.

More information about the rhn-users mailing list