On Tuesday 02 December 2008 17:26, T o n g wrote:
> Hi,
>
> How can I stop an active network connection? e.g.,
>
> $ netstat
> Active Internet connections (w/o servers)
> Proto Recv-Q Send-Q Local Address Foreign Address
> State
> tcp 0 0 192.168.0.100:ssh ip-72-55-146-217.:35911
> ESTABLISHED
>
> Because barbarians are pounding at my sshd gate again:
>
> . . .
> Dec 2 16:41:37 helios sshd[9201]: Invalid user chad from 72.55.146.217
> Dec 2 16:41:37 helios sshd[9201]: pam_unix(sshd:auth): check pass; user
> unknown
> Dec 2 16:41:37 helios sshd[9201]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=ip-72-55-146-217.static.privatedns.com
> Dec 2 16:41:39 helios sshd[9201]: Failed password for invalid user chad
> from 72.55.146.217 port 42328 ssh2
> . . .
>
> I shut down my sshd daemon, but the network bandwidth did not drop. The
> active connection went away in the netstat output, which is wrong, and
> iftop was able to reveal the still-live connection.
I use a thing called "fail2ban", which will monitor log entries and
dynamically update your firewall to block IP addresses which are the
source of too many failures.
I set it up years ago, and don't recall the specifics, but it's
packaged for Debian, and I recall it being reasonably straightforward
to set up.
The way I have it set up, it will block particular users who
can't get their password right after three tries. I believe it
can also be set up to block particular IP addresses that try
multiple usernames, but I'm not 100% sure.
-- A.
--
Andrew Reid / [EMAIL PROTECTED]
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
