-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The Monday 2007-07-16 at 08:19 -0400, Richard Creighton wrote:
> > FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=3,blockseconds=120,recentname=ssh"
> >
> >
> > in /etc/sysconfig/SuSEfirewall2 This will limit to a maximum of 3
> > attempts per 120s.
> >
> The log excerpt was despite a setting of:
>
> FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=5,blockseconds=300,recentname=ssh"
>
> which is similar to your suggestion. I will modify the hitcount and
> blockseconds but I am curious why it didn't block *all* subsequent
> attempts from that IP for the 'blockseconds' value. If you look at the
> log, it is obvious that if any blocking is occuring, it is only blocking
> more attempts of the same name but I can't tell for sure if it is trying
> new names almost instantly after being blocked or what, but it is
> obvious the IP isn't being blocked.
It doesn't even look at login name: it only looks at connections attempts
to a certain port, no matter what that port is for.
And I think that blocks should be logged. At least, a previous version of
this idea did so.
> > Even more effective can be running sshd on an unusual port, or
> > installing something like "fail2ban"
> >
> I thought about an 'unusual port', but a port scanner would certainly
> find it as it found port 22.
Interestingly, most of these scans are done by scripts that don't really
scan every port.
- --
Cheers,
Carlos E. R.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Made with pgp4pine 1.76
iD8DBQFGm2XgtTMYHG2NR9URArFnAJwPPbzOStxa7Bi4r022i28DzU+VsACdEZuG
F4wQvq0n0CnixI24sjkf7dY=
=g6lC
-----END PGP SIGNATURE-----
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
