Jacques B. wrote:
So I turned off sshd but that didn't stop the problem. I am getting hit several times a second by someone. I would sure like to at least know the IP they are from. Karl F. Larsen, AKA K5DIThrow a gateway/router in front of your machine. It will add a layer of protection and pretty much kill the noise altogether execpt on ports that you have services running and have port forwarding enabled on the router. Otherwise any attempts to initiate a connection gets dropped at the router. If you do have a router and did not disable port forwarding after shutting down sshd, and left port 22 open on your box then you will still get noise I expect, just no daemon listening on that port. And as Jonathan asked, how do you know this? If it's via your /var/log/secure then you have their IPs in the log. If it's against a web server then you will have their IPs in those logs. Where are you seeing all these hits on your system? Jacques B.
Also take a look at OSSEC, it will email you the portion of the logs about the sshd attacks and has an active-response module that will add the IP to hosts.deny or setup iptables rules to block that IP for a set duration. I use it on several servers and it works really well.
-- Recedite, plebes! Gero rem imperialem! Mark Haney Sr. Systems Administrator ERC Broadband (828) 350-2415 Call (866) ERC-7110 for after hours support -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
