Bob Hoffman <bob at ...> writes: > > So I have been reading the ssh attack thread and finally want to ask about > something. > > I doubt there is a program like this, but I would love to have a program > that listens at common ports that I do not use at all...and only allow that > program to listen to it, especially the usual ssh port (using a different > one for real ssh)... > > That program would then, upon receiving a 'sniff' or 'user' would then add > that ip to the deny hosts lists..for either a long or short time. > > Using this would seem like a win as you can easily grab someone before they > can get somewhere one hopes. > Also, by opening up a few other ports that are unusual like 8561....well, if > someone sniffs that it could be a 3 day ban or a month... > > In other words, anyone hitting those ports that are not being used at all > except by our sniff protector, would allow instant banning. > > So...does something like this exist? > Just in case you want to play around with just the logging port probing information you can add something like the following rule to your firewall: -A RH-Firewall-1-INPUT -p tcp -m tcp -j LOG -A RH-Firewall-1-INPUT -p udp -m udp -j LOG Add the rules at the bottom of /etc/sysconfig/iptables but before your ultimate reject rule. Make sure you have enough room in /var/log for the amount of data you will be collecting. The log entries in /var/log/messages will look like: Jun 16 00:51:01 bend kernel: IN=eth0 OUT= MAC=00:0a:5e:1a:ee:4b:00:0a:5e:1a:e9:c8:08:00 SRC=192.168.0.1 DST=192.168.0.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=59652 DF PROTO=TCP SPT=59356 DPT=17581 WINDOW=17920 RES=0x00 SYN URGP=0 Cheers, Dave