Benji Weber wrote: > On 16/07/07, Richard Creighton <[EMAIL PROTECTED]> wrote: >> My question is what, if any firewall rule could I write that could >> detect such attacks and automatically shut down forwarding packets from >> the offending node or domain? That would give me an additional layer >> of defense as well as freeing up a significant amount of log file space. > > set the following line > > FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=3,blockseconds=120,recentname=ssh" > > > in /etc/sysconfig/SuSEfirewall2 This will limit to a maximum of 3 > attempts per 120s. > The log excerpt was despite a setting of:
FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=5,blockseconds=300,recentname=ssh" which is similar to your suggestion. I will modify the hitcount and blockseconds but I am curious why it didn't block *all* subsequent attempts from that IP for the 'blockseconds' value. If you look at the log, it is obvious that if any blocking is occuring, it is only blocking more attempts of the same name but I can't tell for sure if it is trying new names almost instantly after being blocked or what, but it is obvious the IP isn't being blocked. > Even more effective can be running sshd on an unusual port, or > installing something like "fail2ban" > I thought about an 'unusual port', but a port scanner would certainly find it as it found port 22. What is fail2ban? It looks like Google time :) Thanks for the heads-up. Richard > _ > Benjamin Weber -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
