13 Jul
2012
13 Jul
'12
8:19 a.m.
Rick Moen wrote:
Quoting Chris Samuel (chris@csamuel.org):
What is your definition of really slow?
I already said I haven't run the numbers. However, you are welcome to put an ssh up and see for yourself.
I was getting enough of them that I instructed my firewall to blacklist (for an hour) any IP making more than three SSH attempts in a minute. All traffic in the blacklist gets tarpitted. Subsequent traffic resets the blacklist timer back to one hour. Password auth is off ANYWAY, but log flooding was annoying me. Hopefully tarpitting also increases operational-costs-per-compromise for the attackers, too. http://cyber.com.au/~twb/doc/iptab.ips