Rick Moen wrote:
Quoting Chris Samuel (chris@csamuel.org):
What is your definition of really slow?
I already said I haven't run the numbers. However, you are welcome to put an ssh up and see for yourself.
I was getting enough of them that I instructed my firewall to blacklist (for an hour) any IP making more than three SSH attempts in a minute. All traffic in the blacklist gets tarpitted. Subsequent traffic resets the blacklist timer back to one hour.
I found that a 5 minutes (vs your 1 hour) was enough to be entirely effective, and I used xt_recent (or ipt_recent depending on your netfilter version), and applied the same trick to all the RDP and FTP servers running in the same subnet. Additionally, I have nominated a few IP addresses in the /24's that nothing is published on which trigger the same blacklisting so anyone attempting a sweep finds all services unresponsive very quickly.
Password auth is off ANYWAY, but log flooding was annoying me. Hopefully tarpitting also increases operational-costs-per-compromise for the attackers, too.
Yes that was my reason for blocking too... too much noise in the logs makes log analysis difficult. For the same reason I've changed ports in a lot of cases too - now when I see traffic its probably worth following up. James