On Sat, 2006-01-28 at 14:43 -0600, Dan Drake wrote:
> On Sat, 28 Jan 2006 at 12:17PM -0600, Mike Hicks wrote:
> > I finally got around to making an automatic blackhole setup to stop
> > the bots that try to SSH into my box all the time.  I'm sure people
> > have done this before, but I couldn't find many decent references
> > googling around.  So, I figured I'd explain what I did so others can
> > waste less time.

Heh, I probably should have explained that a little better -- I did come
across several utilities to block SSH attempts, though they just didn't
work in ways I liked.  Some worked via cron (or that's what I thought),
and, seemingly, most use Python (heh, Perl's slow enough for me
already ;-)  Well, I'm not sure why I don't like Python..  Probably just
because I don't know it yet.

Anyway, I've gotten a few direct responses too, and I think everyone
seems to have equally valid solutions, just resolving problems in the
way that makes the most sense to them.  I wanted something that was
getting fed directly from the system logger (not tailing a file
or--eek--reading the whole thing every few minutes as a cronjob) so it
could respond immediately.

Of course, the iptables limiting approach is reasonable too, but I just
wanted to know that I'm filtering someone who's actually failing login.

> My solution to that problem was to use iptables and a port knocking
> daemon. If you're not coming from the U of M, iptables drops all port 22
> packets, unless you knock first. 

Hmm, I suppose I could whitelist the firewall I'm coming from when
ssh'ing from work (and a handful of others), then use knocking for other
source IPs.  But I suspect that getting IPSec working between my roaming
laptop and my home network is higher up on my To-Do,-Someday,-Hopefully
list..

-- 
Mike Hicks <hick0088 at tc.umn.edu>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://shadowknight.real-time.com/pipermail/tclug-list/attachments/20060129/3b89475c/attachment.pgp