[Intrusions] SSH brute forcers
ebios at ebios.wnaft.agh.edu.pl
ebios at ebios.wnaft.agh.edu.pl
Thu Jun 2 09:17:40 GMT 2005
Hello
Well, I think that major problem while blacklisting is dealing with
dynamic IPs. Filtering them out of huge logs is legitimate under 1
condition - the responsable ISP shall undertake proper measures to track
the offender or at least block the unique MAC address on its router.
If not, actually there is no point to blacklist dyn IPs unless we ban
whole address family/domain.
IMHO there is no point to be open worldwidely on all ports our box is
listening to. By using tcpwrappers we can authorize pointed hosts or whole
domains with a priori specified ident to access chosen services, all other
traffic being wiped away with RST.
Actually I do have in /etc/hosts.deny ALL:ALL statement, while
/etc/hosts.allow enable some trusted hosts to access some services.
It is up to sysop to decide which services are allowed for all, which are
restricted to localhost, and which are accessible from several trusted
machines [with static IP or dyn IP with previously defined ident].
Best regards
Wojciech Krolik
On Wed, 1 Jun 2005, Joel Esler wrote:
> I get about 10 -20 attempts on my box (different IP's) all adding up
> to about 200-300 attempts per day. I don't know if it's because it's
> on my blog, or people just really want access to my box. Have no
> idea...
>
> But I would love to blackhole them. I think I can automate that...
> Where should I send them? Here?
>
> Joel
>
More information about the Intrusions
mailing list