Hi, For ssh login attempts you can use program authfail (after 4 wrong login attempts it adds proper IP to netfilter with DROP rule sending notification to IP class owner from whois database).
"Jérémie Marguerie" <jere...@marguerie.org> wrote: >Le 5 févr. 2013 17:52, "Daniel Curtis" <sidetripp...@gmail.com> a écrit >: >> I've added a rule to my iptables script, which is responsible for >> filtering --tcp-flags and INVALID state. After addition of this rule, >> I've noticed , that many IP addresses are trying to scan(?) my >> computer, but it is not so obvious, because, for me, from iptables >> rule point of view, NULL Scan is something different (see below). >> This rule looks this way and is related to the incoming connections: >> >> [...] >> >> Mostly all of the log entries related to the NULL Scan are the same - >the >same >> SPT, TTL and PROTO values. Of course, sometimes IP addresses were >changed. >> >> Best regards! > >Hi, > >Don't put too much time into those "strange packets" received. > >There is a countless number of bots and scripts kiddies scanning the >whole >ipv4 range (and bruteforcing password also). They often use standard >scanning like syn scan and sometime you find some people trying to >exploit >vulnerabilities quite old (ping of the death, Xmas tcp packets...). > >Should you worry? No, at least if you take simple precautions: block >everything unless what you need (port 80? 22?...) and be as restricted >as >possible (from which network...). > >And use hard password. > >You'll be scanned, many times a day, you'll also be bruteforced and >however >not normal, this is just "noise". > >Respect usual security measures and you won't really be bothered by >this >noise (but by more advanced threat could :)). > >A simple iptables firewall with input dropped by default and allowing >certain ports should work for most servers. > >-- >Jérémie Marguerie Pozdrawiam, Bartek
