[TriLUG] Host Blocking

Jason Faulkner jasonlf at gmail.com
Wed Jan 5 21:45:07 EST 2005


> I set up a web server about two weeks ago. The server currently has two open
> ports to the world, 22 and 80.
> 
> In monitoring the logs (both ssh and apache) I have noticed an intersting
> (disturbing) trend. There seem to be a number of dictionary attacks on the
> ssh server, and a number of script type attacks on the web server. The
> majority (99%) of these attacks are comming from a specific part of the world
> (Always have to protect the guilty).
> 
> Now I do not plan on ever needing anyone other then US based customers from
> accessing this server. And I do realize that things like dictionary attacks
> on my sshd are really not causing much harm. But here is my question:
> 
> What would be the best method of blocking access from a particular part of the
> world, or for that matter allowing access from only US based ip ranges.
> 
> Something like + *.us, and block everything else is the idea. Just wondering
> what some recommended approaches would be (hosts.allow/deny, iptables,
> etc ,etc)?
> 

Easy fix for SSH: use a nonstandard port.

-- 
Jason Faulkner
Old Os Admin
http://oldos.org
---------------------------
*Employed full-time now -- thanks for all the emails of support*



More information about the TriLUG mailing list