On Fri, Nov 11, 2005 at 04:15:28PM -0600, J.D. Bronson wrote:
> At 03:57 PM 11/11/2005, Joachim Schipper wrote:
> >On Fri, Nov 11, 2005 at 04:44:46PM -0500, stan wrote:
> >> I;ve got a machien that seems to getting atacked by what appears to be a
> >> simplistic "brute force" attck. it's getting hit multiple ties a second
> >> with bogus root login attempts, my guess is that they are trying
> >dictionary
> >> atacks on the password for root.
> >>
> >> Any sugestions as to how to deal with this? Change the port ssh is
> >> listening on maybe?
<snip: me>
> or maybe something like this (untested):
>
> If your running pf:
>
> First add a line to create a persistent table:
>
> table <attackers> persist
>
> and a block rule like this
>
> block in quick from <attackers>
>
> then add a rule like this....
>
> pass in quick on $ext_if proto tcp from any to ($ext_if) port 22 keep state
> (max-src-conn-rate 3/10, overload <attackers> flush)
>
> basically it says if an IP tries to connect more then 3 times in 10 seconds
> add them to the attackers table, which is blocked of course.
>
> -JD
This sort of thing is really popular, but I don't see the point.
Just run...
# DEFAULT_GATEWAY=`route show | grep default`
# for i in 1 2 3 4 5 6; \
do for j in 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16; \
do nmap -e rl0 -S $DEFAULT_GATEWAY -p 22 192.168.0.$j; \
done; \
done
Joachim
