Gene Heskett <gene.heskett@xxxxxxxxxxx> writes: > Its very hard to further your attack on a machine when your address is one > that's never going to be responded to by the machine so protected. You > cannot prove the machine even exists, no ping response, nothing comes > back once portsentry has been tripped. And you can make it very paranoid > indeed. What does the iptables file for portsentry look like? I've been experimenting with adding some fairly aggressive (read: dangerous) rules to iptables in an attempt to reclaim lots the bandwidth and cpu time the script kiddies are robbing me of. Basically I use the module "recent" to set a 1-week timer on their IP for any scanning or excessive connection attempts. Then near the top of the iptables I drop all future packets from them till the timer runs out. This effectively gives them the cold shoulder treatment and they tend to go away after a minute or two. What is amusing, during testing I had the IP timeout set for 10 minutes. It was this way for 6 weeks as I was making sure the system was working as intended. Well I guess that was long enough for evolution to take place. One kiddie noticed the 10-minute timeout and came back every 12 minutes to beat on the ssh server a bit more. Silly kiddie, if he'd read my web page he'd have noticed that that server doesn't allow passworded logins anyway, just RSA. -wolfgang -- Wolfgang S. Rupprecht http://www.wsrcc.com/wolfgang/
