[TriLUG] Host Blocking
Jason Faulkner
jasonlf at gmail.com
Wed Jan 5 21:45:07 EST 2005
> I set up a web server about two weeks ago. The server currently has two open
> ports to the world, 22 and 80.
>
> In monitoring the logs (both ssh and apache) I have noticed an intersting
> (disturbing) trend. There seem to be a number of dictionary attacks on the
> ssh server, and a number of script type attacks on the web server. The
> majority (99%) of these attacks are comming from a specific part of the world
> (Always have to protect the guilty).
>
> Now I do not plan on ever needing anyone other then US based customers from
> accessing this server. And I do realize that things like dictionary attacks
> on my sshd are really not causing much harm. But here is my question:
>
> What would be the best method of blocking access from a particular part of the
> world, or for that matter allowing access from only US based ip ranges.
>
> Something like + *.us, and block everything else is the idea. Just wondering
> what some recommended approaches would be (hosts.allow/deny, iptables,
> etc ,etc)?
>
Easy fix for SSH: use a nonstandard port.
--
Jason Faulkner
Old Os Admin
http://oldos.org
---------------------------
*Employed full-time now -- thanks for all the emails of support*
More information about the TriLUG
mailing list