Re: SSH IP Blocking

From: Skatan (skatan@t-online.de)
Date: 04/18/02


From: "Skatan" <skatan@t-online.de>
Date: Thu, 18 Apr 2002 15:29:54 +0200


>You're going to get *FAR* more one-port single-SYN scans, or occasional
>SYN+FIN scans, and never hear from the IP# again. Unless you *really* know
>better, I suggest you're going to waste your firewall rules on folks who're
>never coming back - do let me know if you get anything like >1% repeat
>offenders, right?

Well, the script i am thinking about is just checking /var/log/messages
for 3 failed ssh logins and then block these IPs. After a few hours it
would then remove those IPs from my "ban list" again. So there prolly
won´t be many iptables rules.

>It'd be pretty darn' hard, but they don't need to *log in* when they can
>DoS you.

Talking about DoS. Is there anything i can do against that then?

-Skatan



Relevant Pages

  • Re: SSH IP Blocking
    ... I suggest you're going to waste your firewall rules on ... > for 3 failed ssh logins and then block these IPs. ... > would then remove those IPs from my "ban list" again. ... > Talking about DoS. ...
    (comp.os.linux.security)
  • Re: walled garden concept
    ... I have done this using private ips. ... My method simply changes the firewall rules, ... When radius either gets a disconnect or auth attempt on the same port, ... instead we just let radius hand out static ips from a database pool. ...
    (freebsd-isp)
  • Re: sshd question
    ... seen a lot of times such a unsuccessfull tries to log to a system I'm ... from unknown for me IPs I just put some firewall rules. ... on the main firewall and they were blocking all outside ssh/telnet ...
    (comp.os.linux.security)
  • Re: SSH IP Blocking
    ... I suggest you're going to waste your firewall rules on folks who're ... "When in Rome; burn it." ...
    (comp.os.linux.security)
  • Re: Spam - What is a simple way to hide email address?
    ... > So what is the "set of firewall rules to block all traffic from ... > korea & china." ... I look up the details in blackholes.us to identify the whole block of IPs ...
    (comp.security.firewalls)