Art Edwards wrote:
I've been running debian @ home and @ work, for years, had no indication
of attacks. Over the last few days, my iptables firewall seemed simply
to stop. I checked my auth log file to find many, many attempts to break
in. My firewall was very simple. I have since added rules to drop
packets from offending IP addresses. So, I have a couple of very basic
questions:
1. Are there repositories of offending IP addresses to block? Can/should
one contribute to these?
2. The attacks never use the same user name more than once. Is there a
way to block access, even temporarily, from an IP address after a set
number of attempts, even if the attempts use different user names?
3. Are there other obvious things I should be doing?
ssh, by it's design is insecure. It SHOULD incorporate some means of
limiting password attempts. It does not! Using alternate ports can be a
pain in the butt as some programs (like webmin "filesystem backup) do
not support alternate ports. I suggest 2 methods, fail2ban and a
firewall if you must allow password logins. You can set the firewall to
allow only certain ip's or ip ranges. But do not get to comfortable with
a firewall ONLY solution. The first time the local firewall goes down,
or is taken down and forgotten to re-enable, you'll get compromised.
Again, the best solution would be for ssh to incorporate a solution,
thus if ssh is started, the solution is started...
--
This message has been scanned for viruses and dangerous content by RCRnet, and
is believed to be clean.
