Re: status: hints on how to check your machine for intrusion

From: Frank A. Kingswood
Date: Sat Oct 01 2011 - 18:12:35 EST

On 01/10/11 19:06, Steven Rostedt wrote:
On Sat, Oct 01, 2011 at 09:35:33AM +0200, Willy Tarreau wrote:

For my machine that is connected to the outside world, I have a script
that runs every night that checks for attacks. As bots constantly look
for port 22 and 80, they find my machine without issue. When my script
detects a bunch of ssh login attempts that fail, it will add that ip
address to the iptables DROP chain:

# iptables -L -n | grep DROP | wc -l

I've picked up quite a few ;)

This script only runs and scans once at night. Probably better to have
it run more often.

Limiting SSH accesses to a few a minute (failed or not) is useful to block many password guess attacks. I set up mine a long time ago following this article using "recent" matches in iptables:

You'll want to set the same rules for ipv6.

This won't stop low frequency and distributed attacks, and sometimes but extremely rarely I find myself connecting more quickly than the rate limit.

Setting "PasswordAuthentication no" in your sshd_config is good too.



Frank A. Kingswood frank@xxxxxxxxxxxxxxxxxxxxxxxxxx
Cambridge, United Kingdom +44-870-095 0000
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at