"Denyhosts" is a very useful program which allows you to configure
automatic blocking of port 22 based on a range of criteria, with a range
of banning lifetimes etc
Its a package in most distributions, well documented and afaik widely used.
Ive used it on deb, centos, freebsd, openbsd etc
Dean
On 11/10/10 15:09, Ben Donohue wrote:
Thanks all,
I'm seeing mostly brute force password attacks on ssh.
I've also found configserver firewall...
Anyway still looking at what is around.
Thanks,
Ben Donohue
[email protected]
On 11/10/2010 2:41 PM, Michael Chesterton wrote:
On 11/10/2010, at 1:29 PM, Ben Donohue wrote:
I'm running an ecommerce site and currently I only deal with
Australian shoppers.
However there are many hacking attempts from non Aussie IP addresses.
I'm looking at blocking everything that is non-Australian.
Has anyone done this? Any issues/ gotcha's/ tips/ etc?
Should I do it at the ISP or iptables? (would need a hand with IP
tables)
I've found geoip, still looking into it.
I've thought about doing the same, but it's only a bandaid. It might
stop the zombie
probes, but won't stop a targeted attack, which will use a compromised
host in
australia to relay through and probably break in through the web server.
What sort of attacks are you seeing? A lot of the attacks I see are
harmless zombie
probes looking for old and well know exploits on unpatched systems, or
brute force
password attacks on ssh.
ie if you keep your system up to date, and use good passwords, or
better, keys, you
shouldn't be bothered by the probes.
The biggest risk as I see it is the web software, sql injection, xss,
etc. As far as iptables
is concerned, it's legitimate traffic, you need to look inside the web
requests coming
in, ie deep packet inspection. Also do penetration testing.
If you're running apache, look at mod_security.
--
http://fragfest.com.au
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
