[KLUG Members] auto-nullrouting
Bruce Smith
bruce at armintl.com
Wed Nov 23 10:15:08 EST 2005
> I always use very strong passwords, but I have a few users on this
> machine who might not, so I'd like to automatically detect this
> kind of attack and reject all traffic from and to that IP number
> for a few hours. It doesn't have to respond instantaneously or
> anything: within a few minutes is fine.
>
> (a) Anyone know of a Debian package that does this?
>
> (b) If not, does anyone have a favorite way to build this behavior
> using standard tools? I could pretty easily write a script to tail
> the log and permanently ban such IPs, but for the sake of a clean
> routing table I'd rather the IPs get unbanned after a few hours,
> which is a somewhat more difficult project.
It's been my experience that the easiest solution is to simply change
the port SSHD listens on to a high/non-standard port. The dictionary
attach bots only scan port 22.
I personally only allow SSH keys to login and turn off password
authentication.
And if you really want to block, I have some netfilter (iptables) rules
that will block port 22 for awhile after detecting a high frequency of
connections in a short period of time.
- BS
More information about the Members
mailing list