Re: [psad-discuss] Brute force attacks and statistics
Brought to you by:
mbr
Menu
▾
▴
Re: [psad-discuss] Brute force attacks and statistics
|
From: Franck J. <fra...@dt...> - 2009-03-17 23:17:05
|
>> I am currently running a ftp server on which one I keep an eye to >> detect bad ips. >> >> All bots keep trying to connect without SSL whatever the error >> message is. After a large amount of tries, I use *psad >> --fw-block-ip* to ends the attacks. >> >> The only way I have found to track those offenders, is to keep the >> email alerts in my mailbox since *psad -S* does not track them >> after the timeout. >> >> How do you handle that? >> >> I would like to have statistics. > You should probably be using a brute force attack detector like denyhosts. There are others. I will have a look, but at a first glance this one does not fit my needs. First, I do not worry about my ssh server since I use fwknop which works like a charm :) Then, I do not want to blacklist those ips. I want to collect them, check them against my others iptables logs and graph all that. If this is really needed, I could blacklist them afterwards. For example, what would the point to deny access to a dynamic ip address (like I use)? I use psad to add a DROP rule (with a timeout) to my ruleset since I want to end the current connection. I also think using /etc/hosts.deny to blacklist ips is not really useful since packets get through my iptables ruleset and the connection will end normally. I would prefer adding a DROP rule to my firewall, and manage my *bad guy list* myself. If anyone think I am wrong, please shout :) Regards, -- Franck Joncourt http://debian.org - http://smhteam.info/wiki/ |
