> > A quick and easy thing is to let the SSH daemon listen on a different, > unused high port. This is nothing which brings security! But the scripts > actually run only against port 22, and you will see no more attempts. > This is my experience for the moment. There seem to be enough soft > victims so that attackers actually feel no need to improve their > scripts. Actually I have seen them hit the high ports also in 3000 (varies) range also. Same script, same ip the whole nine. I put a router between me and the i-net and I'm OK no more login attempts. But with work servers its hosting and APF does fine job of blocking those that I don't need. All apf is a control for iptables essentially, pretty ease to use, in /etc/apf/ you have allow_hosts.rules and deny_hosts.rules which are configured the same. This is from allow_host.rules: ## # allow_hosts # # Trust based rule file to define addresses that are granted all or specific # access through the firewall. # # Format of this file is line-seperated addresses, IP masking is supported. # Example: # 24.202.16.11 # 24.202.11.0/24 # # advanced usage # # The trust rules can be made in advanced format with 4 options # (proto:flow:port:ip); # 1) protocol: [packet protocol tcp/udp] # 2) flow in/out: [packet direction, inbound or outbound] # 3) s/d=port: [packet source or destination port] # 4) s/d=ip(/xx) [packet source or destination address, masking supported] # # Syntax: # proto:flow:[s/d]=port:[s/d]=ip(/mask) # s - source , d - destination , flow - packet flow in/out # # Examples: # inbound to destination port 22 from 24.202.16.11 # tcp:in:d=22:s=24.202.16.11 # # outbound to destination port 23 to destination host 24.2.11.9 # out:d=23:d=24.2.11.9 # # inbound to destination port 3306 from 24.202.11.0/24 # d=3306:s=24.202.11.0/24 # ## This is from the readme on Brute Force Defender on configuration: ########### Configuration: The configuration file for BFD is located at '/usr/local/bfd/conf.bfd'; it is very straight forward and the comments in themself explain what each option is for. Of the options, you should idealy configure the ALERT_USR toggle to enable or disable user email alerts and likewise in conjunction configure the EMAIL_USR var with your email addresses you would like to receive alerts at. An ignore file is present at '/usr/loca/bfd/ignore.hosts'; this is a line seperated file to place hosts into that you would like to be ignored for authentication failures. An internal function will attempt to fetch all local ip's bound on the installed system and there-in internally ignore events appearing to be from such addresses. ############ There is also a file called pattern.match which defines the search phrase it looks for in the logs and flags them. I hope this is the answer you are looking for. -- Mike Ramirez <mike@xxxxxxxxxxxxxx>
Attachment:
signature.asc
Description: This is a digitally signed message part
