[TriLUG] Host Blocking
Ron Joffe
rjoffe at yahoo.com
Wed Jan 5 21:16:13 EST 2005
Hey folks, looking for some suggestions.
I set up a web server about two weeks ago. The server currently has two open
ports to the world, 22 and 80.
In monitoring the logs (both ssh and apache) I have noticed an intersting
(disturbing) trend. There seem to be a number of dictionary attacks on the
ssh server, and a number of script type attacks on the web server. The
majority (99%) of these attacks are comming from a specific part of the world
(Always have to protect the guilty).
Now I do not plan on ever needing anyone other then US based customers from
accessing this server. And I do realize that things like dictionary attacks
on my sshd are really not causing much harm. But here is my question:
What would be the best method of blocking access from a particular part of the
world, or for that matter allowing access from only US based ip ranges.
Something like + *.us, and block everything else is the idea. Just wondering
what some recommended approaches would be (hosts.allow/deny, iptables,
etc ,etc)?
Thanks,
Ron
More information about the TriLUG
mailing list