[LAD] [ot] - NEED some security advise PLEASE!

[Gabriel M. Beddingfield]

Fernando Lopez-Lezcano wrote:
> Another option is a service called denyhosts, it adds entries
> to /etc/hosts.deny for each host from which a defined number of failed
> logins happen. So the attacking hosts are dropped out as they try
> passwords and hopefully fail...

While effective, this can result in a DoS against your machine.

However, I do something similar with the firewall.  I found a good firewall 
script here:

http://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-services.en.h
tml#s-firewall-setup

And I added this rule:

     #
     # This is to limit all those ssh bots
     #
   /sbin/iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW
-m recent --update --seconds 60 --hitcount 4 --name DEFAULT --rsource -j DROP
   /sbin/iptables  -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW
  -m recent --set --name DEFAULT --rsource

Which temporarily ignores traffic from a host if they hit my SSH port 4 times in 
60 seconds.

However, in the past few months, the scripts that are attacking the ssh ports 
have taken on a distributed attack vector that is able to circumvent this 
firewall rule.

HTH,
Gabriel