[wellylug] Blocking bad IPs from server
David Antliff
david.antliff at gmail.com
Fri Feb 9 11:05:01 NZDT 2007
On 26/01/07, scott at slackisland.org <scott at slackisland.org> wrote:
> is this going to be OK if you have, say, 2539 bad IPs? I've been running
> SSH on a nonstandard port and use knockd to open that ssh port up, so
> every attempted connection to the standard ssh port I've considered
> malicious. Doing this:
>
> tac /var/log/ulogd/ulogd.syslogemu | grep 'DPT=22' | awk {'print $9'} |
> sort | uniq | cut -c 5-19 > /var/log/sshattemptssorted.txt
>
> gives me a full list of IP addresses that have hit my SSH port, so I was
> thinking of using blacklists in shorewall firewall to permanently drop
> these IPs. However that requires a kernel recompile and I haven't had time
> to get around to that yet, so I'm wondering if it's feasable to add so
> many IPs to iptables. Wouldn't this have a performance impact?
Late reply, I realise.
I use DenyHosts - this can result in a big list of blacklisted IP
addresses in /etc/hosts.deny however it can be configured to remove
them after a period of time. Either way, it's a useful way to stop an
attack on a service after the first five failed attempts (too bad if
they hit your username and password in less than five, eh?). With
DenyHosts you have to be careful not to lock yourself out by accident,
but you can provide always-whitelist IP addresses from known-safe
hosts just in case.
DenyHosts watches your access log for failed connection attempts.
Works well - I've been running it for 6 months without any issues.
Informal log analysis shows attempts on my SSH port have dropped
enormously (down to about 5 attempts every 20 minutes, always from a
new IP address, rather than an almost constant stream).
The value isn't so much in the final black-list, but the ability to
put a stop to the attack very quickly.
--
David.
More information about the wellylug
mailing list