Re: How to push back against repeated login attempts?

[Luke Kenneth Casson Leighton <lkcl@lkcl.net>]

On Wednesday, March 3, 2021, <oregano@disroot.org> wrote:

> So honeypot or tarpit seems like something to try. Endlessh sounds good, but labrea and iisemulator have debian packages. Any suggestions or warnings to consider?

if you run exim4 and live spamassassin mta-time the teergrube config is a lot of fun (teergrube: german for tarpit).

unfortunately, running mta-time spamassassin takes a MENTAL amount of server-side resources esp. if you enable clamav, pyzor and razor like i used to.

after a couple years i went "this is nuts" and left greylistd running but did forwarding-only.

btw the other one to watch out for is the Iranian attack against OpenVPN.  i had repeated attempts to break in on OpenVPN come up and had to add that to recidive as well, with some custom pattern matching.

a week later the slashdot announcement came up, "Iran sponsored hackers break in to somethingorother by turning OpenVPN servers into botnets".

keeping an eye on your fail2ban logs you get a fairly good advance indication of massive govt sponsored hacking attempts.

l.



-- 
---
crowd-funded eco-conscious hardware: https://www.crowdsupply.com/eoma68