Re: kernel.org status: hints on how to check your machine for intrusion
From: Frank A. Kingswood
Date: Sat Oct 01 2011 - 18:12:35 EST
On 01/10/11 19:06, Steven Rostedt wrote:
On Sat, Oct 01, 2011 at 09:35:33AM +0200, Willy Tarreau wrote:
For my machine that is connected to the outside world, I have a script
that runs every night that checks for attacks. As bots constantly look
for port 22 and 80, they find my machine without issue. When my script
detects a bunch of ssh login attempts that fail, it will add that ip
address to the iptables DROP chain:
# iptables -L -n | grep DROP | wc -l
2656
I've picked up quite a few ;)
This script only runs and scans once at night. Probably better to have
it run more often.
Limiting SSH accesses to a few a minute (failed or not) is useful to
block many password guess attacks. I set up mine a long time ago
following this article using "recent" matches in iptables:
http://www.debian-administration.org/articles/187
You'll want to set the same rules for ipv6.
This won't stop low frequency and distributed attacks, and sometimes but
extremely rarely I find myself connecting more quickly than the rate limit.
Setting "PasswordAuthentication no" in your sshd_config is good too.
Regards,
Frank
--
------------------------------------------------------------------------
Frank A. Kingswood frank@xxxxxxxxxxxxxxxxxxxxxxxxxx
Cambridge, United Kingdom +44-870-095 0000
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/