On Wed, July 23, 2008 12:25, Nifty Cluster Mitch wrote: > I like 'denyhosts' as a tool to limit these attacks, other good solutions > also exist. Most distros now have 'denyhosts' as a prebuilt RPM which > is a plus IMO (+). As others remarked disable root logins. Manage the > 'su, sudo' list with care and populate the illegal user list agressivly > based on the attack list observed in the logs. Users with su, sudo > privledge should be limited to those that use sshkey login and understand > what a strong pass word is. Denyhosts has some interesting intelligence; I'm particularly pleased by the bit where it notifies me of dodgy logins (success after some failures). I also wonder what's being done to limit the denial-of-service possibilities of the "synchronization" mode. (*I* have added lines to /etc/hosts.allow to let key people in via SSH from their home and personal servers even if those addressed end up in hosts.deny.) (And there's a denyhost rpm in, hmm, I think 'rf' is the rpmforge repository for Centos.) I've been playing for years at a set of services to create firewall blocking commands based on attacks; delivery of email to spamtrap addresses, probes to closed ports, failed logins, etc. Studying the data, it looks like multiple copies of spam delivered to my host often come from different IPs, though (makes sense with botnets); that sort of information has lead me to be less aggressive about getting a system actually running. The SSH attacks I've seen currently *do* seem to come in series from the same IP, so blocking that has at least some benefit (mostly cleaning up my logs I suspect). -- David Dyer-Bennet, dd-b at dd-b.net; http://dd-b.net/ Snapshots: http://dd-b.net/dd-b/SnapshotAlbum/data/ Photos: http://dd-b.net/photography/gallery/ Dragaera: http://dragaera.info