[TriLUG] Host Blocking
jasonlf at gmail.com
Wed Jan 5 21:45:07 EST 2005
> I set up a web server about two weeks ago. The server currently has two open
> ports to the world, 22 and 80.
> In monitoring the logs (both ssh and apache) I have noticed an intersting
> (disturbing) trend. There seem to be a number of dictionary attacks on the
> ssh server, and a number of script type attacks on the web server. The
> majority (99%) of these attacks are comming from a specific part of the world
> (Always have to protect the guilty).
> Now I do not plan on ever needing anyone other then US based customers from
> accessing this server. And I do realize that things like dictionary attacks
> on my sshd are really not causing much harm. But here is my question:
> What would be the best method of blocking access from a particular part of the
> world, or for that matter allowing access from only US based ip ranges.
> Something like + *.us, and block everything else is the idea. Just wondering
> what some recommended approaches would be (hosts.allow/deny, iptables,
> etc ,etc)?
Easy fix for SSH: use a nonstandard port.
Old Os Admin
*Employed full-time now -- thanks for all the emails of support*
More information about the TriLUG