[plug] Attempted Intrusions
Bill Kenworthy
billk at iinet.net.au
Wed Oct 20 10:00:37 WST 2004
I do it dynamicly off log messages. if someone hits a tripwired port,
it drops them silently forevermore until I flush the chains. This seems
to work as most tries appear to come from machines that scan more than
just ssh, so they trip the drop rules before they can probe more than a
couple of ports. Works well, but you have to take precautions (regular
flush, 4 hour lifetime per rule and so on) as its easy to DoS oneself
Other methods are to drop whole blocks such as all china, korea and so
on - there's lists on the net for them. This is pretty common in
business.
When not away you could use a draconian set of rules, and loosen then
just before you depart on your trip.
Lastly, just add a quick drop for particularly problematic pests such as
your ssh one (could this be an innocent, but misconfigured script?) -
but this got pretty tiresome for me very quickly.
BillK
On Wed, 2004-10-20 at 09:44, Marc Wiriadisastra wrote:
> Bill Kenworthy wrote:
> > Thats the path you should be going down! People (plural) are trying to
> > actively probe your machine and you are not firewalling them off?
> >
> > BillK
> >
> All it is is that I haven't limited the ip's to who can access ssh
> because some times I'm away on business and the only access I have is a
> dialup. How do I get around that or is there not a way around it?
>
>
> Regards
>
> Marc
>
> _______________________________________________
> PLUG discussion list: plug at plug.linux.org.au
> http://mail.plug.linux.org.au/cgi-bin/mailman/listinfo/plug
> Committee e-mail: committee at plug.linux.org.au
More information about the plug
mailing list