Have you installed software such as fail2ban which will block the ip address after n number of failed ssh logins for n number of seconds. Depending on the purpose of the server it may block internet access for the client, but I wouldn't worry about that for my network. I have it installed on all my linux boxes and it blocks the routine ssh attacks that are all too common these days.
-- Tom DeReggi wrote: > We recently had a really nasty DOS attack that took down a large part > of our network across several cell sites, from the infected client all > the way to the Internet transit. > Take note that we identified the problem quickly and cured it quickly. > But.... This is the first time that this has occured in 5 years, as we > have a good number of smart design characteristics that have limited > the effects of most viruses on our network. We stopped the attack, by > blocking SSH to the infected sub. The average amount of traffic > crossing the entire network path from the client to the Internet was > about 500 kbps on average. (This was a 20 mbps wireless link, and a > 100mbps fiber trnasport link to the transit.). The two routers were a > P4 2Ghz, and a Dual XEON 2.2Ghz w/ 10,000rpm SCSI3. The damage was > that the CPU was nailed on both routers to about 99.9% using "TOP" to > monitor stats. We varified that successful SSH sessions were not made > directly to the protected routers themselves. Take note that the > wireless links were barely effected, it was the router 2 hops away > (Dual XEON) that got over loaded the most. Our routers have been > tested to pass over 2 gbps of throughput easilly. And have been load > tested to survive very small packets and high PPS adequately. The > infected sub was bandwidth managed with HTB to 256k cir, 1 mbps mir, > but not anything for PPS. So I'm looking for reasons that the CPU got > overloaded. My theory is that the DOS attack resulted in a large > number of disk writes, ( maybe logging?) causing the CPU saturation. > I've had a hard time locating the cause. And have not discovered which > virus yet, although I should have more info soon from my clients. > > So my question.... > > What needs to be done on a Linux machine to harden it, to protect > against CPU oversaturation, during DOS attacks? > > What should and shouldn't be logged? Connection Tracking? Firewall > logging? Traffic stats? > > Tom DeReggi > RapidDSL & Wireless, Inc > IntAirNet- Fixed Wireless Broadband -- WISPA Wireless List: [email protected] Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
