On Wed, Jul 18, 2007 at 11:09:21AM -0600, Art Edwards wrote: > I've been running debian @ home and @ work, for years, had no indication of > attacks. Over the last few days, my iptables firewall seemed simply to > stop. I checked my auth log file to find many, many attempts to break in. > My firewall was very simple. I have since added rules to drop packets from > offending IP addresses. So, I have a couple of very basic questions: > > 1. Are there repositories of offending IP addresses to block? Can/should > one contribute to these? > > 2. The attacks never use the same user name more than once. Is there a way > to block access, even temporarily, from an IP address after a set number of > attempts, even if the attempts use different user names?
fail2ban automatically bans ip's after a specified number of failures. The ban only last 30minutes or so, but that should be enough to deter most... and still let you in if you make a mistake. > > 3. Are there other obvious things I should be doing? make sure you aren't running any services you don't need and keep your firewall up-to-date. and make sure your services have sensible configs in place, too... I'm guessing your looking at ssh attempts -- switch to pubkey authentication if you can and turn off password/challenge-response. A
signature.asc
Description: Digital signature
