snort has a rule for this sort of kiddie. then you script (or rather use a canned scort script) a proper response (ala ip chains, bgp, whatever suits your needs)
On 7 Jun 2002, Martin Lesser wrote: > The last days we had some trouble with a script-kiddie: > > Looks like this kid wrote a script which permanently (at least every > second) tried to connect to port 5223 of our Jabber-Server (1.4.2) > without having a real ssl-client at his side. > > This caused a huge number of log-entries (after enabling debugging): > > mio_ssl.c:238 SSL accepting socket with new session 82aeb48 > mio_ssl.c:256 Error from SSL: error:140760FC:SSL >routines:SSL23_GET_CLIENT_HELLO:unknown protocol > mio_ssl.c:257 SSL Error in SSL_accept call > > After some time this caused our main jabberd to hang - only a restart of > jabberd after inserting a DROP-Rule for the kiddies IP into our > iptables-ruleset brought jabberd back into stable working. > > At the moment I've no idea how to prevent jabberd of looping endless/too > soon through mio_ssl in such a case, perhaps the heartbeat-monitor could > help us here but I don't know how. > > Please correct me if you think that there's a possible misconfiguration > at our side so I can post the relevant parts of our conf-files. > > BTW, is there a simple way to see which current user comes from which IP? > netstat at this point is only partially helpful. > > TIA, > > Martin > > -- > Express-Kommunikation mit Jabber: > JabberID: [EMAIL PROTECTED] > _______________________________________________ > jdev mailing list > [EMAIL PROTECTED] > http://mailman.jabber.org/listinfo/jdev > > --- Gabriel C. Millerd | There is a saying in prize fighting: Everyone has a Sith Admin | plan until they get hit. | _______________________________________________ jdev mailing list [EMAIL PROTECTED] http://mailman.jabber.org/listinfo/jdev
