[lug] Barring the Barbarians

Sean Reifschneider jafo at tummy.com
Sun Dec 12 19:19:06 MST 2004


On Fri, Dec 10, 2004 at 03:27:47PM -0700, D. Stimits wrote:
>I have not used this yet on my newest installs, but if you have the 
>right kernel features enabled, you can track MAC addresses.

Not likely.  MAC addresses are for local ethernets, you don't get a MAC
address on remote connections, just a TCP/IP source address.

>>So does anyone know of ways to dynamically alter the defense as needed? Or 
>>is the best response still just to keep my shields up? 

Yeah, you could get fancy and write something that locks down the port
after so many connection attempts.  I'd probably do it by just writing a
small program that watches the logs and adds an iptables rule if I were to
do it at all.  I presume you've seen my blog entry on some alternatives?

   http://www.tummy.com/journals/entries/jafo_20041029_151145

It looks like simply moving your SSH daemon to a different port is totally
eliminating these logins.  In checking one of our systems logs for the last
month, I don't see any bad login attempts except from our own machines.
We've been running SSH on a different port for 4 or 5 years now, so this
problem isn't totally unexpected.  ;-)

Sean
-- 
 The most important thing in communication is to hear what isn't being said.
                 -- Peter Drucker
Sean Reifschneider, Member of Technical Staff <jafo at tummy.com>
tummy.com, ltd. - Linux Consulting since 1995.  Qmail, Python, SysAdmin



More information about the LUG mailing list