Re: How to auto-ban access form certain IP addresses?

On Mon, 27 Mar 2006, in the Usenet newsgroup linux.redhat, in article
<ca6dnfIHl5peabrZRVn-tg@xxxxxxxxxxx>, dnoyeB wrote:

I run an RH9 box and someone is constantly trying to break in over the
last year. Its not remotely accessible in they way they are trying so I
am not concerned.

If it's not possible for them to gain access, why are you logging the noise?

However, I wish I would shut down access from a certain ip address after
so many attempts, and send an email to myself.
As opposed to watching 1000s of entries in my log each day from the
same address.

This sounds like a SSH rootkit zombie, and it depends on how you are
running the daemon. A more reasonable solution is to not allow access to
the services from addresses you don't approve of in the first place. For
example, you seem to be on Comcast in MI.us - is there any expectation
that you will need to access the system from $ANOTHER_COUNTRY? If not,
AFRINIC, APNIC, ARIN, LACNIC and RIPE might be able to provide clues of
addresses you can blackhole permanently. A more sensible solution is to
only allow access from specific addresses/networks/what-ever, and default
to blocking all others.

Is there a manual way to do this? I assume by editing config files for
telnet,ssh, etc. Is there an automatic way to do this?

Very dependent on how the service is being run (stand-alone verses xinetd)
in addition to the type of service itself. You seem to be aware that an
automated response is a good way to shoot yourself in the $TENDER_SPOT,
so you can probably play with PortSentry knowing that you do have to be
careful. See the Security-Quickstart-Redhat-HOWTO for some ideas.

Old guy
.