[CentOS] SSH attacks from china

Wed Jul 29 20:16:14 UTC 2009
Lucian@lastdot.org <lucian at lastdot.org>

On Wed, Jul 29, 2009 at 9:10 PM, Sorin Srbu<sorin.srbu at orgfarm.uu.se> wrote:
>>-----Original Message-----
>>From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On
>>Behalf Of Lucian at lastdot.org
>>Sent: Sunday, July 26, 2009 11:27 PM
>>To: CentOS mailing list
>>Subject: Re: [CentOS] SSH attacks from china
>>
>>Vietnam and Indonezia are also suspects in my list.
>>The biggest problem with this approach is that even tho I could ban
>>whole Asia and Russia, a significant part of the attacks do not
>>originate from there, but from countries like USA, UK, etc, controlled
>>by hackers (also) from the aforementioned areas...
>>The latest case of password breaking I had to deal with was from an
>>USA IP address.. they managed to insert an iframe in all index.html
>>and index.php files on the respective FTP account. The iframe however
>>was pointing to a .ru website hosted in France.. Isn't globalization
>>fun?!
>>Anyway, just banning ranges of IP addresses may not enough, so to rely
>>on this _only_ would be careless.
>
> Exactly, that was what I trying to get at!
>
> So you're not going to ban all ip addresses from the US I take it, since
> most spam, crapware, attacks and whatnot originate from there, as you point
> out? ;-)

I might just do that, but of course, for a certain range of ports.
Actually a better idea would be to just allow connections on the most
sensitive services only from our country since we do no business with
people abroad. It would be interesting to see which method is more
performant, iptables+ipset or iptables-geoip.

> --
> /Sorin
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
>