>
> On Thu, 25 May 2006, Harold Hallikainen wrote:
>
>> I wonder if some "web accelerators" that prefetch pages will appear to
>> be
>> site rippers to your script.
>
> Good question.
>
>> Another script I run is sshblacklist. It blocks IP addresses (through
>> iptables) if there are three bad username or bad password attempts on
>> ssh.
>> Without running that script, my logs would report thousands of attemtps
>> each night. Now it's generally zero, or maybe ten (with a couple more
>> IPs
>
> Why not make ssh port disappear altogether and appear only when needed ?
> See knockd ? So you can detect maladroit knocking beforehead and lock
> out the origin URL before it hits *any* valid services (including web).
>


Interesting... I'd never heard of knockd. It looks like it runs on a
Linksys WRT54G router and I'm running a BEFSR81 (I think that's the
number). I do want to keep ports open for smtp, http, https, and I use ssh
all the time, so it's nice to get in pretty simply with it. The blocking
of IP addresses after a few bad usernames or passwords on ssh or of
obvious attempts at breakin on http seems to do the job. I review the logs
each morning. I've found several bad http requests where there was echo or
xmlrpc in the url, along with a few Microsoft names, so I added blocking
on any IP that tries to request one of those URLs. Seems to have worked so
far!

knokd IS interesting, though. Thanks for pointing it out!

Harold

-- 
FCC Rules Updated Daily at http://www.hallikainen.com - Advertising
opportunities available!
-- 
http://www.piclist.com PIC/SX FAQ & list archive
View/change your membership options at
http://mailman.mit.edu/mailman/listinfo/piclist