There is an iptables geoip module to allow you to specify countries. I never used it thought.
The advantage of denyhosts is that it not only bans addresses but also shares banned hosts with a network of a few thousands of installations (an opt-in option), so you are not on your own.
Moving ssh to a none standard port is the best thing you can do under the circumstances you describe, IMHO.
Another option might be to tar-pit attackers (using iptables) - that way you can slow down their traffic so hopefully they'll eat less of your bandwidth.
-Amos
On 10/10/09, Toby Bluhm tkb@alltechmedusa.com wrote:
Toby Bluhm wrote:
Niki Kovacs wrote:
Hi,
I just set up a web server... and my bandwidth is being eaten by some chinese folks trying to brute-force-ssh their way into the machine.
Is there a simple way to banish either single IP addresses or, maybe even better, whole IP classes ? I know it's feasible with iptables, but is there something more easily configurable ?
Cheers,
Try fail2ban from rpmforge.
Also, if you're using the standard fw that ships with centos, you can stop entire blocks of IPs by manually inserting rules after iptables starts:
iptables -I RH-Firewall-1-INPUT 1 -s 1.2.3.4/24 -p tcp --dport 22 -j DROP
IP ranges by country: http://www.countryipblocks.net/country-blocks/select-formats/
The IP ranges will change from time to time, so you have to check often. You could script in a download from http://www.countryipblocks.net/continents/ to keep it current.
Like someone said, if you have to keep ssh open to the world, changing the port number will dramatically cut down on the attempts.
-- tkb _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos