[CentOS] Intrusion Attempt Prevension - iptables problems

Steve Huff shuff at vecna.org
Mon Jan 12 20:45:56 UTC 2009


On Jan 12, 2009, at 3:24 PM, James B. Byrne wrote:

> It is evident that this attacker had more than one netblock  
> available.  It
> is conceivable that, instead of serially attacking us, they could just
> have easily attempted multiple simultaneous connections from all of  
> their
> available IP addresses.  This would completely defeat the current  
> throttle
> rules.  Should I also throttle the total number of new connections  
> from
> all IPs?


you might be better served by adding an additional layer of defense  
e.g. denyhosts (which you can get from Dag).  it's pretty good at  
deflecting brute-force attacks, especially if you enable  
synchronization mode in order to learn about hostile IPs before they  
hit you.  initial setup should be a matter of minutes, i'd expect.

a useful trick to keep your hosts.deny file from growing to massive  
size is to use the hosts.evil include mechanism:

Can I use a non-standard hosts.deny file? (http://denyhosts.sourceforge.net/faq.html#2_6 
)

-steve

--
If this were played upon a stage now, I could condemn it as an  
improbable fiction. - Fabian, Twelfth Night, III,v



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2209 bytes
Desc: not available
Url : http://lists.centos.org/pipermail/centos/attachments/20090112/8c2c3d7e/attachment.bin 


More information about the CentOS mailing list