On Mon, Feb 11, 2002 at 11:26:57AM +0100, Klaus Koch wrote: [SNiP] > My question now is, what can I really do in realtime against an ongoing > attack? Are there any interesting reads, I wasn't able to find? assuming the attack is coming from ip address "x1.x2.x3.x4", the following command should effectively stop it (rejects all routing to/from that host). route add -host x1.x2.x3.x4 reject If it's a flood attack origin from several hosts it's a bit more tricky, since you have to do the above for all attacking hosts as quickly as possible. I think you can get snort to do it for you, though. If the attacker(s) already have gotten in to your host and created accounts the attacker(s) can of course use that accounts to login normally (no intrusion) from another host. So you should of course check your passwd (or really reinstall the entire system) as soon as possible if you suspect that someone successfully have cracked your server. brgds, /frax
Attachment:
pgpUvRxtE5FSV.pgp
Description: PGP signature