David G. Miller wrote: > Rainer Traut <tr.ml at ...> writes: > >> >> to prevent scripted dictionary attacks to sshd >> I applied those iptables rules: > SNIP > > Lots of good advice from several people. All of the suggested solutions > mean you still have to wade through log entries from the unsuccessful attacks. Excerpt for tools like fail2ban. > > I've been quite happy with similar IP tables rules but I moved sshd to > listen on something other than port 22 for external connections. I haven't seen a > single brute force attack since making the move and all unsuccessful attempts to > login via ssh get logged so it's not like attackers can stay below my radar. > > It seems that the script kiddies who are responsible for most of these > attacks don't bother scanning (nmap) before the attack. If port 22 isn't open > they move elsewhere. If I ever see any failed login attempts I can assume that the > perpetrator is at least a little more skilled than usual and possibly take > additional action. *sigh* It's not even script kiddies much, anymore: it's China, and Brazil, and then, way down, Russia, Thailand, Italy, the Netherlands, etc, etc. - botnets. Some are, obviously, with misspelled logins (from last night: comercial), or a, aa, aaa) but some do know: root, oracle, netdump.... mark "ah, to return to the good ol' days, before Cantor and Siegal"