Re: Limit the number of erroneous logins of root from the same IP



Moe Trin <ibuprofin@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
So the windoze box wasn't offering SSH, and Linux was?

correct.

The ip addresses were all concentrated in one country.

Which one out of curiosity?

..cn

country (or even regions). Everyone blames China as a bad guy, so how

In my case, .cn was the bad guy.

In the firewall - set the default inbound to DROP or REJECT, and then
add the needed rules to connect those IPs or IP ranges you want to
give access to. In my case, that boils down to just five total lines.

For me as well. I have one outside IP address that I can log into from
anywhere. That ISP uses a limit of some sort, with a telnet knock to
reopen for a locked address. From that login, I can go to my home
machine,a nd adjust the allowed list to include my new location, which I
might do for performance reasons, especially if I am running some GUI
remotely. I only allow a couple of subnets, and those have gone away, as
all of the cororate connections seem to come out through one firewall, if
outbound is allowed at all.

for ways to get the firewall simple and solid.

I got the impression from this thread that hosts.allow was more current.
If not, then I'm happy with the iptables. I only allow port 22, and a port
for a special package, from an even more limited set of IPs.

--
Clarence A Dold - Hidden Valley Lake, CA, USA GPS: 38.8,-122.5
.



Relevant Pages

  • RE: ICMP (Ping)
    ... Why do you assume that out of millions of Ips that respond, ... > almost) running a port scan those that reply. ... replies from a ping request. ... IP ranges with no target in mind, ...
    (Security-Basics)
  • RE: IPS and Trunking
    ... Cisco does offer an "IPS on a stick" feature and is what the OP is ... You create another vlan on the switch. ... You convert one of the ports to a trunk port and plug the IPS ...
    (Focus-IDS)
  • Re: Port Scanning
    ... Most IPS admins do not block port scans. ... > essentially adding rules that the attacker has ... > customer works primarily with a particular remote ...
    (Pen-Test)
  • Re: Port watching tool
    ... Active Ports only shows one connection to port 25 (which I am trying to ... I am finding certain IPs to be ... generating large numbers of SMTP connections to the server, ... Symantec is the Diamond sponsor. ...
    (Security-Basics)
  • Re: Source Port 0 Host Sweep
    ... I had seen applications request port 0 when they really wanted the ... I have about 4 or 5 different internal IPs that are behaving this way. ... > I'm not sure if this applies in your case, however I've seen ACK ...
    (Security-Basics)