[CentOS] Paranoid Firewalling

Wed Sep 7 01:08:28 UTC 2005
Kirk Bocek <t004 at kbocek.com>

No! It's my secret! Bu-Wa-Ha-Ha! (or however that's spelled...)

Okay, you forced it out of me...

http://linuxmafia.com/pub/linux/security/ssh-dictionary-attack-blacklist

:)

Sam Drinkard wrote:
> Kirk,
> 
>    If you don't mind, could you let me know where that script is?  I'm 
> seeing the same thing -- kiddies trying to log in.  I use something 
> similar, but manual entry on my mail server that is in a co-lo site 
> running FreeBSD.  Here at home, I thought I'd be pretty well protected 
> behind the router, but I have to have the ssh port open, and I'm seeing 
> hundreds of attempts.
> Thanks...
> 
> Sam
> 
> Kirk Bocek wrote:
> 
>> Good question Alex. However, I've never studied the scripts that 
>> 'script kiddies' use and so have no answer.
>>
>> Part of what has prompted this change is the recent surge of 
>> brute-force password attacks. From the timing of the password 
>> attempts, it's clear that these are script driven.
>>
>> I found a perl script that watches for failed logins. After a 
>> configurable number, the script enters the IP address into 
>> /etc/hosts.deny. After a configurable number of days, the script then 
>> removes the IP address.
>>
>> What I see in /var/log/secure is a whole series of 'Invalid user' 
>> messages followed by 'Failed password for invalid user' messages. 
>> These will then, because of the script, be terminated by a 'refused 
>> connect from' message when the address is entered into hosts.deny.
>>
>> My point in all this is that I only ever see *one* 'refused connect' 
>> message. So at least for this script, it gives up when it can't 
>> connect anymore.
>>
>> Kirk Bocek
>>
>>
>>
>>
> 
>