There is an iptables geoip module to allow you to specify countries. I never used it thought. The advantage of denyhosts is that it not only bans addresses but also shares banned hosts with a network of a few thousands of installations (an opt-in option), so you are not on your own. Moving ssh to a none standard port is the best thing you can do under the circumstances you describe, IMHO. Another option might be to tar-pit attackers (using iptables) - that way you can slow down their traffic so hopefully they'll eat less of your bandwidth. -Amos On 10/10/09, Toby Bluhm <tkb at alltechmedusa.com> wrote: > Toby Bluhm wrote: >> Niki Kovacs wrote: >>> Hi, >>> >>> I just set up a web server... and my bandwidth is being eaten by some >>> chinese folks trying to brute-force-ssh their way into the machine. >>> >>> Is there a simple way to banish either single IP addresses or, maybe >>> even better, whole IP classes ? I know it's feasible with iptables, but >>> is there something more easily configurable ? >>> >>> Cheers, >>> >> >> >> Try fail2ban from rpmforge. >> >> > > > Also, if you're using the standard fw that ships with centos, you can > stop entire blocks of IPs by manually inserting rules after iptables starts: > > iptables -I RH-Firewall-1-INPUT 1 -s 1.2.3.4/24 -p tcp --dport 22 -j DROP > > IP ranges by country: > http://www.countryipblocks.net/country-blocks/select-formats/ > > The IP ranges will change from time to time, so you have to check often. > You could script in a download from > http://www.countryipblocks.net/continents/ to keep it current. > > Like someone said, if you have to keep ssh open to the world, changing > the port number will dramatically cut down on the attempts. > > > -- > tkb > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >