joe wrote: > > Richard Creighton wrote: >> Just about every day, often several times a day, my logs include hours >> of log entries that look like this: >> >> Jul 16 00:35:25 raid5 sshd[6966]: Invalid user admin from 83.18.244.42 > > <snip> > > >> My question is what, if any firewall rule could I write that could >> detect such attacks and automatically shut down forwarding packets from >> the offending node or domain? That would give me an additional layer >> of defense as well as freeing up a significant amount of log file space. > > I prefer a more simple approach. Rather than adding more firewall rules, I set > the sshd allowed_users parameter to the 2 accounts that actually have a > reason to log in, and I also limit the IP addresses which will accept an ssh > connection using tcp wrappers (hosts.allow, hosts.deny).
typo/thinko - I meant, limit the addresses *from* which it will accept an ssh connection using tcp wrappers. Also, as one poster mentioned, using keys instead of passwords is another handy ssh trick, along with reducing the max failed attempts and grace period for ssh logins. Joe -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
