David G. Miller wrote:
Rainer Traut <tr.ml@...> writes:
to prevent scripted dictionary attacks to sshd I applied those iptables rules:
SNIP
Lots of good advice from several people. All of the suggested solutions mean you still have to wade through log entries from the unsuccessful
attacks.
Excerpt for tools like fail2ban.
I've been quite happy with similar IP tables rules but I moved sshd to listen on something other than port 22 for external connections. I
haven't seen a
single brute force attack since making the move and all unsuccessful
attempts to
login via ssh get logged so it's not like attackers can stay below my
radar.
It seems that the script kiddies who are responsible for most of these attacks don't bother scanning (nmap) before the attack. If port 22
isn't open
they move elsewhere. If I ever see any failed login attempts I can
assume that the
perpetrator is at least a little more skilled than usual and possibly take additional action.
*sigh* It's not even script kiddies much, anymore: it's China, and Brazil, and then, way down, Russia, Thailand, Italy, the Netherlands, etc, etc. - botnets.
Some are, obviously, with misspelled logins (from last night: comercial), or a, aa, aaa) but some do know: root, oracle, netdump....
mark "ah, to return to the good ol' days, before Cantor and Siegal"