[CentOS] Paranoid Firewalling

Wed Sep 7 00:11:51 UTC 2005
Sam Drinkard <sam at wa4phy.net>

Kirk,

    If you don't mind, could you let me know where that script is?  I'm 
seeing the same thing -- kiddies trying to log in.  I use something 
similar, but manual entry on my mail server that is in a co-lo site 
running FreeBSD.  Here at home, I thought I'd be pretty well protected 
behind the router, but I have to have the ssh port open, and I'm seeing 
hundreds of attempts. 

Thanks...

Sam

Kirk Bocek wrote:

> Good question Alex. However, I've never studied the scripts that 
> 'script kiddies' use and so have no answer.
>
> Part of what has prompted this change is the recent surge of 
> brute-force password attacks. From the timing of the password 
> attempts, it's clear that these are script driven.
>
> I found a perl script that watches for failed logins. After a 
> configurable number, the script enters the IP address into 
> /etc/hosts.deny. After a configurable number of days, the script then 
> removes the IP address.
>
> What I see in /var/log/secure is a whole series of 'Invalid user' 
> messages followed by 'Failed password for invalid user' messages. 
> These will then, because of the script, be terminated by a 'refused 
> connect from' message when the address is entered into hosts.deny.
>
> My point in all this is that I only ever see *one* 'refused connect' 
> message. So at least for this script, it gives up when it can't 
> connect anymore.
>
> Kirk Bocek
>
>
>
>


-- 
Snowman