Le lundi 26 juin 2006 à 15:44 -0400, tyche a écrit : > On Monday 26 June 2006 08:11, Rob Sterenborg wrote: > > On Mon, June 26, 2006 13:02, tyche wrote: > > > over the last few days, my server has been attacked. i > > > would like to limit remote logon attempts by address so > > > that if someone tries to logon from an ip address and > > > fails 3 times, my computer will ignore repeated attempts > > > from that ip address. any idea how to make a rule for > > > this? > > > > What type of logon? SSH, telnet, ...? > > sorry, what comes from typing email when your still asleep. > most seem to be hitting my sshd, tho the username/password > combo leads me to believe that the person is using a database > to try to overload the server. > > killed some pids that where owned by sshd and they kept > cropping up faster than i could kill them. Installing pam_abl can be an eye-opener /usr/sbin/pam_abl Failed users: ... aaliyah (1) Not blocking aaron (9) Not blocking aarti (1) Not blocking ab (1) Not blocking aba (1) Not blocking abarisic (2) Not blocking abarros (1) Not blocking abb (1) Not blocking abbey (1) Not blocking abbey1 (1) Not blocking abbey123 (1) Not blocking ... rooot (1) Not blocking root (367) Blocking users [!root] root-admin (5) Not blocking root-oliver (3) Not blocking root1 (1) Not blocking ... Failed hosts: ... wpc0963.amenworld.com (3379) Not blocking yer91-3-82-245-132-80.fbx.proxad.net (168) Blocking users [*] Meaning sometimes in the last two month wpc0963.amenworld.com tried to do a brute-force attack with 3379 loggons - but it's old so the host is allowed to try again, while yer91-3-82-245-132-80.fbx.proxad.net has already passed the threshold and this is recent, so it's still blocked This also shows few accounts except root are hammered, most malware just try every account they can think of once, so non-trivial passwords help a lot more than unusual account names Regards, -- Nicolas Mailhot
Attachment:
signature.asc
Description: Ceci est une partie de message =?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e?=