James Harper wrote:
Rick Moen wrote:
Quoting Chris Samuel (chris@csamuel.org):
What is your definition of really slow?
I already said I haven't run the numbers. However, you are welcome to put an ssh up and see for yourself.
I was getting enough of them that I instructed my firewall to blacklist (for an hour) any IP making more than three SSH attempts in a minute. All traffic in the blacklist gets tarpitted. Subsequent traffic resets the blacklist timer back to one hour.
I found that a 5 minutes (vs your 1 hour) was enough to be entirely effective,
You are probably right. I started at 1h and never bothered to dial it down.
and I used xt_recent (or ipt_recent depending on your netfilter version), and applied the same trick to all the RDP and FTP servers running in the same subnet.
Hm, I don't have any FTP or RDP servers, but it might be a good idea to have connections to their ports trigger my blacklisting.
Additionally, I have nominated a few IP addresses in the /24's that nothing is published on which trigger the same blacklisting so anyone attempting a sweep finds all services unresponsive very quickly.
Not a bad idea either. I had thought about setting up a honeypot that actually responds, but I couldn't work out a way to do so that would APPEAR to be comporomised without actually being compromised. Simply designating an unused IP to trigger blacklisting would give nearly as good functionality, though.