Re: SSH attack
On 10/04/2005 11:00 PM, David E. Fox wrote:
> I've logged thousands of attempts from chinanet
> and kornet within the last few days. I've reported (as if that would do
> any good) with "Free Tibet" and of course copies of the log - 500K in
> one instance(!) but am more interested in just blocking their
> entire /24 if need be.
> The question is - how?
> IP 126.96.36.199 (using whois) belongs to pubnet.ne.kr. I'd send a
> heads up email to email@example.com and CC it to firstname.lastname@example.org.
>> Please get back to me fast. I took the compilers off of the system,
> If you only see "Failed attempt" then you're probably safe - there are
> probably script kiddies running password sniffers or crackers. Note the
> port(s) tried - in my case they are non-standard ones - and block them
> with your firewall. Check and/or install chkrootkit.
> I certainly hope you're not infected, and if so, you'll need to
The list archives have many threads on this subject. Also, an excellent
"Automatically Blocking SSH Attackes From Script Kiddies?"
I'm using the new package fail2ban. It works perfectly on my sarge box.
~$ apt-cache show fail2ban
Status: install ok installed
Maintainer: Yaroslav Halchenko <email@example.com>
Depends: python, iptables
Description: bans IPs that cause multiple authentication errors
Monitors (in daemon mode) or just scans log files (e.g. /var/log/auth.log,
/var/log/apache/access.log) and temporarily bans failure-prone
addresses by updating existing firewall rules. Currently, by default,
supports ssh/apache but configuration can be easily extended for scanning
the other ASCII log files. Firewall rules are given in the config file,
thus it can be adopted to be used with a variety of firewalls (e.g.