Nov.
Comments:
Disabled
Distributed SSH blocker
So I got bored and wrote a script that parses a list displayed on my site:
Click here for list
So now you ask... what is it for? This list is generated from failed SSH brute force attempts. When the offending IP is banned, it is then added to the list above. By itself this is utterly useless without a purpose. With that said, this is why I wrote another script which parses the list previously mentioned, and places the offending IP into your server's iptables block list.
As of this post, the crontab script is still in a pretty beta form, and has no mechanism to check iptables to see if the IP is already listed. I will add additonal features as time permits. Until then, please visit the page which display's the current ban list, and also provides the download link to the crontab script:
Current Ban List - automaticly updates
crontab script
Project Page
Jul.
Comments:
Disabled
Blocking DNS Recursion Attacks
The easiest way to do this is to have a properly configured bind setup, however if you want to still block these types of attacks before they hit your server you can simply add the following iptables rule to your pre-existing configuration. When a rogue server or user attempts to perform a DNS recursion exploit/attack they will be doing something similar to:
dig . NS @yourserver.com
Normally this will be reflected in your logs as:
Jan 01 dev named[23890]: client 127.0.0.1#65188: query (cache) './NS/IN' denied
If you see denied that is a good thing however these attempts can still quickly fill your logs. So with that said this iptables rule will help give you peace of mind and smaller log files:
iptables -I INPUT -p udp --dport 53 -m length --length 45 -j DROP
Once you have this rule in place run "dig . NS @yourserver.com" to test. Enjoy.