Hacker News new | ask | show | jobs
by mtekman 739 days ago
I have a utility that parses ssh failed attempts and creates iptables blocklists:

https://gitlab.com/mtekman/iptables-autobanner

For those just wanting the blocklist, here is a table of malicious IP addresses, with columns of: address, number of ports tried, number of usernames tried.

https://upaste.de/bgC
5 comments
securethrowaway 739 days ago
I simply run fail2ban with a whole bunch of customer filters that will ban people very quickly. There's no need to request php or malformed urls when php is not used for example.
link
mtekman 739 days ago
I used to run fail2ban, but I found it (or at least its defaults) ineffective against discouraging further requests. With iptables, you can specify the connection to hang for a period and then drop
link
justsomehnguy 739 days ago
Defaults are set to reject. Just configure the jails or a global config.
link
miah_ 739 days ago
A iptables hashlimit rule can do the same. Your firewall rules get to be more readable and you don't end up relying on the security of a log parser.

The biggest win comes from just disabling password authentication in sshd though.

link
Phelinofist 739 days ago
I run endlessh, I always giggle when I see some connection that last for 2d
link
sambazi 739 days ago
a lot of ppl thought this would be a good idea at some point
link
eps 739 days ago
upaste link is 404
link