Stuart Fox wrote:
[SNIP]
Be careful with auto route blockers and iptables manipulators like that. As an attacker you could detect quit easily that you're being actively blocked then spoof the source ip as the target computer. The blocker script would then quite correctly shut down all routes to and from its self requiring console access. As an added kick in the proverbials the attacker could spoof his address as a 192.168.x.x range and block local lan access as well. In effect you just dos'd yourself! Not too much of a problem if you are on site but a bugger if your server is remote.
One way to combat it is to time out the blocks with an intelligent script that removes the block after, say, 10 mins.
Just be careful is all :)
Fair point, but all our servers are already behind firewalls that deal with that sort of spoofing, so it's unlikely that it will occur. In my research I've found this tool, which is gentoo-orientated, but should be adaptable. It looks really good, and has expiries and such-like built in:
http://blinkeye.ch/mediawiki/index.php/SSH_Blocking
In the last 4 days I've had over 88,000 ssh-cracking hits on one (randomly-selected) server alone. I'd just like to drop the traffic...
Cheers, Laurie.