Re: SSH IP Blocking

From: Skatan (skatan@t-online.de)
Date: 04/18/02


From: "Skatan" <skatan@t-online.de>
Date: Thu, 18 Apr 2002 15:29:54 +0200


>You're going to get *FAR* more one-port single-SYN scans, or occasional
>SYN+FIN scans, and never hear from the IP# again. Unless you *really* know
>better, I suggest you're going to waste your firewall rules on folks who're
>never coming back - do let me know if you get anything like >1% repeat
>offenders, right?

Well, the script i am thinking about is just checking /var/log/messages
for 3 failed ssh logins and then block these IPs. After a few hours it
would then remove those IPs from my "ban list" again. So there prolly
won´t be many iptables rules.

>It'd be pretty darn' hard, but they don't need to *log in* when they can
>DoS you.

Talking about DoS. Is there anything i can do against that then?

-Skatan