Thanks all,
I'm seeing mostly brute force password attacks on ssh.
I've also found configserver firewall...
Anyway still looking at what is around.
Thanks,
Ben Donohue
[email protected]
On 11/10/2010 2:41 PM, Michael Chesterton wrote:
On 11/10/2010, at 1:29 PM, Ben Donohue wrote:
I'm running an ecommerce site and currently I only deal with Australian
shoppers.
However there are many hacking attempts from non Aussie IP addresses.
I'm looking at blocking everything that is non-Australian.
Has anyone done this? Any issues/ gotcha's/ tips/ etc?
Should I do it at the ISP or iptables? (would need a hand with IP tables)
I've found geoip, still looking into it.
I've thought about doing the same, but it's only a bandaid. It might stop the
zombie
probes, but won't stop a targeted attack, which will use a compromised host in
australia to relay through and probably break in through the web server.
What sort of attacks are you seeing? A lot of the attacks I see are harmless
zombie
probes looking for old and well know exploits on unpatched systems, or brute
force
password attacks on ssh.
ie if you keep your system up to date, and use good passwords, or better, keys,
you
shouldn't be bothered by the probes.
The biggest risk as I see it is the web software, sql injection, xss, etc. As
far as iptables
is concerned, it's legitimate traffic, you need to look inside the web requests
coming
in, ie deep packet inspection. Also do penetration testing.
If you're running apache, look at mod_security.
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
