[CentOS] Paranoid Firewalling

Thu Sep 8 13:41:57 UTC 2005
Alex White <ethericalzen at gmail.com>

Kirk Bocek wrote:
> No! It's my secret! Bu-Wa-Ha-Ha! (or however that's spelled...)
> 
> Okay, you forced it out of me...
> 
> http://linuxmafia.com/pub/linux/security/ssh-dictionary-attack-blacklist
> 
> :)
> 
> Sam Drinkard wrote:
> 
>> Kirk,
>>
>>    If you don't mind, could you let me know where that script is?  I'm 
>> seeing the same thing -- kiddies trying to log in.  I use something 
>> similar, but manual entry on my mail server that is in a co-lo site 
>> running FreeBSD.  Here at home, I thought I'd be pretty well protected 
>> behind the router, but I have to have the ssh port open, and I'm 
>> seeing hundreds of attempts.
>> Thanks...
>>
>> Sam
>>
>> Kirk Bocek wrote:
>>
>>> Good question Alex. However, I've never studied the scripts that 
>>> 'script kiddies' use and so have no answer.
>>>
>>> Part of what has prompted this change is the recent surge of 
>>> brute-force password attacks. From the timing of the password 
>>> attempts, it's clear that these are script driven.
>>>
>>> I found a perl script that watches for failed logins. After a 
>>> configurable number, the script enters the IP address into 
>>> /etc/hosts.deny. After a configurable number of days, the script then 
>>> removes the IP address.
>>>
>>> What I see in /var/log/secure is a whole series of 'Invalid user' 
>>> messages followed by 'Failed password for invalid user' messages. 
>>> These will then, because of the script, be terminated by a 'refused 
>>> connect from' message when the address is entered into hosts.deny.
>>>
>>> My point in all this is that I only ever see *one* 'refused connect' 
>>> message. So at least for this script, it gives up when it can't 
>>> connect anymore.
>>>
>>> Kirk Bocek

Thanks for that linkage. And your previous explanation of what you 
were seeing. Sorry I've been ill so couldnt' check the list until 
today. Really appreciate it.

Sincerely,

Alex