[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <alpine.DEB.2.00.1110030548020.7763@mtl.rackplans.net>
Date: Mon, 3 Oct 2011 05:49:52 -0400 (EDT)
From: gmack@...erfire.net
To: "Frank A. Kingswood" <frank@...gswood-consulting.co.uk>
cc: Steven Rostedt <rostedt@...dmis.org>, Willy Tarreau <w@....eu>,
Greg KH <greg@...ah.com>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: Re: kernel.org status: hints on how to check your machine for
intrusion
On Sat, 1 Oct 2011, Frank A. Kingswood wrote:
> On 01/10/11 19:06, Steven Rostedt wrote:
> > On Sat, Oct 01, 2011 at 09:35:33AM +0200, Willy Tarreau wrote:
> > >
> > For my machine that is connected to the outside world, I have a script
> > that runs every night that checks for attacks. As bots constantly look
> > for port 22 and 80, they find my machine without issue. When my script
> > detects a bunch of ssh login attempts that fail, it will add that ip
> > address to the iptables DROP chain:
> >
> > # iptables -L -n | grep DROP | wc -l
> > 2656
> >
> > I've picked up quite a few ;)
> >
> > This script only runs and scans once at night. Probably better to have
> > it run more often.
>
> Limiting SSH accesses to a few a minute (failed or not) is useful to block
> many password guess attacks. I set up mine a long time ago following this
> article using "recent" matches in iptables:
>
> http://www.debian-administration.org/articles/187
>
> You'll want to set the same rules for ipv6.
>
> This won't stop low frequency and distributed attacks, and sometimes but
> extremely rarely I find myself connecting more quickly than the rate limit.
Too easy to hit the rate limit if you work in an office full of people who
use scp for file uploads.
Gerhard
--
Gerhard Mack
gmack@...erfire.net
<>< As a computer, I find your faith in technology amusing.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists