[KLUG Members] auto-nullrouting

[Bruce Smith]

> I always use very strong passwords, but I have a few users on this
> machine who might not, so I'd like to automatically detect this
> kind of attack and reject all traffic from and to that IP number
> for a few hours.  It doesn't have to respond instantaneously or
> anything:  within a few minutes is fine.
> 
> (a) Anyone know of a Debian package that does this?
> 
> (b) If not, does anyone have a favorite way to build this behavior
> using standard tools?  I could pretty easily write a script to tail
> the log and permanently ban such IPs, but for the sake of a clean
> routing table I'd rather the IPs get unbanned after a few hours,
> which is a somewhat more difficult project.

It's been my experience that the easiest solution is to simply change
the port SSHD listens on to a high/non-standard port.  The dictionary
attach bots only scan port 22.

I personally only allow SSH keys to login and turn off password
authentication.

And if you really want to block, I have some netfilter (iptables) rules
that will block port 22 for awhile after detecting a high frequency of
connections in a short period of time.

 - BS