* Noah Meyerhans (noahm@debian.org) wrote: > As an additional point against these scripts, they are host based. If > I'm going to bother blackholing the source of these login attempts, I'm > going to do it at the border. Yes, I can write scripts to react to this > kind of scanning and have it automatically manipulate access lists on > the routers, I'm not sure I really like the idea. I'm sort of leaning > in that direction, at this point, though, just to shut up logcheck > without telling it to ignore all failed root login attempts. This may or may not be an option for you, but... There's an iptables match called 'ipt_recent' which you can use to blackhole addresses for a period of time. Many of these types of scans will hit an unused address first, or first hit an address/port combination that's not allowed. With ipt_recent you can then blackhole the address for some period of time (say, 60 seconds) which is generally more than long enough for the rest of the scan of your segment to be blocked. Of course, there are potential problems with any kind of automated blacklisting, the main one being the 'DoS' problem. ipt_recent tries to handle this by having the option to also track the TTL which at least makes it a little more difficult to forge packets which will block legitimate hosts. iptables also allows stateful filtering and if you use that then at least outbound connections won't be affected, only inbound ones could be. Stephen
Attachment:
signature.asc
Description: Digital signature