Denial of service
Mark Haney
mhaney at ercbroadband.org
Thu Oct 4 14:35:02 UTC 2007
Jacques B. wrote:
>> So I turned off sshd but that didn't stop the problem. I am getting hit
>> several times a second by someone. I would sure like to at least know
>> the IP they are from.
>>
>> Karl F. Larsen, AKA K5DI
>
> Throw a gateway/router in front of your machine. It will add a layer
> of protection and pretty much kill the noise altogether execpt on
> ports that you have services running and have port forwarding enabled
> on the router. Otherwise any attempts to initiate a connection gets
> dropped at the router.
>
> If you do have a router and did not disable port forwarding after
> shutting down sshd, and left port 22 open on your box then you will
> still get noise I expect, just no daemon listening on that port.
>
> And as Jonathan asked, how do you know this? If it's via your
> /var/log/secure then you have their IPs in the log. If it's against a
> web server then you will have their IPs in those logs. Where are you
> seeing all these hits on your system?
>
> Jacques B.
>
Also take a look at OSSEC, it will email you the portion of the logs
about the sshd attacks and has an active-response module that will add
the IP to hosts.deny or setup iptables rules to block that IP for a set
duration. I use it on several servers and it works really well.
--
Recedite, plebes! Gero rem imperialem!
Mark Haney
Sr. Systems Administrator
ERC Broadband
(828) 350-2415
Call (866) ERC-7110 for after hours support
More information about the users
mailing list