Odd ssh attacks?
Njoku, George O.
njokug at winthrop.edu
Fri Jul 20 14:08:21 UTC 2007
Really? Currently I'm using "iptables"...I had thought using host.deny
would be better for TCP wrappers. Together with iptables I use
"iptables-save" to save the current iptables rules (just in case I have
to reboot computer), then I can "iptables-restore" rules
I also do a match against a "blocked-ip file" (written by script) so I
wouldn't get multiple rules on same entry.
But thx for tip. I'll scratch modifications to add to hosts.deny.
Ps: I will post script as soon as I get my home IP (damn isp changed ma
ip...can't ssh yet...need to make phone call)
George
-----Original Message-----
From: ubuntu-users-bounces at lists.ubuntu.com
[mailto:ubuntu-users-bounces at lists.ubuntu.com] On Behalf Of David Ford
Sent: Friday, July 20, 2007 9:57 AM
To: Ubuntu user technical support,not for general discussions
Subject: Re: Odd ssh attacks?
Putting them in host.deny uses a lot more resources than iptables.
Iptables is your first line of defense encountered when a packet arrives
at your machine. There is no context switch into userland. The CPU
cycles, ram, and disk use to block connections in userland instead of
via iptables is far more expensive.
The iptables method is extremely fast, entirely reliable and entirely
automatic. No log processing needed, no crontab entries. No need to
run inetd and tcpwrappers. No need for any userland interaction save
for the iptables startup when you boot your machine.
It isn't better to use host.deny instead of iptables. It's much slower
and a little more error prone.
-david
Njoku, George O. wrote:
> I constantly monitor my log files ( ssh = /var/log/secure - fedora
> )...(/var/log/auth.log for Ubuntu)
>
> I wrote a Perl script and put in Cron(4 times an hour) to block IPs of
> probes-"Invalid Users".
> Normally ssh client bots keep trying different users to brute force
> their way in.
>
> Rather than having them constantly trying flooding my network with
> requests, I just block IP.
> Currently, I use iptables, but it could be better to put them in
> hosts.deny
>
> I know...unconventional, but ok.
>
> George
>
--
ubuntu-users mailing list
ubuntu-users at lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
More information about the ubuntu-users
mailing list