| Author |
Message |
waynemr
Joined: 10 Dec 2009
Posts: 7
|
| Posted: Wed Feb 03, 2010 1:21 am Post subject: getting denyhost hits from other linode users |
|
|
I've noticed my denyhosts setup is blocking some other linode users. Since this can only happen after x number of invalid SSH login attempts, what is the best approach according to the community for dealing with this?
1. ignore it and let denyhosts do its job
2. warn the other linode users their site(s) might be compromised
3. file a report with linode
I'm inclined to pick 1, because I don't have time to mess with it, but if there is a strong community sense of self-policing these kinds of thing, I'd be happy to contribute.
cheers! |
|
| Back to top |
|
vonskippy
Joined: 27 Dec 2009
Posts: 410
Location: Colorado, USA
|
| Posted: Wed Feb 03, 2010 1:24 am Post subject: |
|
|
Send the log snippet to abuse@linode.com
Either those systems are compromised - or the owners are morons to sh*t in their own backyard.
Either way they need to be cleaned up. |
|
| Back to top |
|
pclissold
Joined: 24 Oct 2003
Posts: 855
Location: Netherlands
|
| Posted: Wed Feb 03, 2010 6:45 am Post subject: |
|
|
vonskippy wrote: Send the log snippet to abuse@linode.com
Either those systems are compromised - or the owners are morons to sh*t in their own backyard.
Either way they need to be cleaned up.
+1 - they are sh*tting in our back yard. |
|
| Back to top |
|
waynemr
Joined: 10 Dec 2009
Posts: 7
|
| Posted: Wed Feb 03, 2010 10:04 am Post subject: |
|
|
| Okay, I gather the relevant logs and forward them on :) |
|
| Back to top |
|
MrRx7
Joined: 21 May 2008
Posts: 46
Location: Austin, Tx
|
| Posted: Wed Feb 03, 2010 4:25 pm Post subject: |
|
|
assuming the ssh login attempts are coming from the local network you should add a firewall rule to block ssh/telnet traffic.
else fail2ban or denyhosts is perfect... oh and reporting is always nice. |
|
| Back to top |
|
Azathoth
Joined: 07 Dec 2009
Posts: 226
|
| Posted: Wed Feb 03, 2010 7:27 pm Post subject: |
|
|
| fail2ban etc... waste of resources. Just move ssh away from port 22. You can still keep logging syn packets incoming at port 22 if you wish to file reports. |
|
| Back to top |
|
waynemr
Joined: 10 Dec 2009
Posts: 7
|
| Posted: Wed Feb 03, 2010 9:30 pm Post subject: |
|
|
| actually, we only allow key-based authentication, but we keep denyhosts on, to trigger complete service bans. I know it is mostly futile in the big scheme of things, but it does provide a curious diversion from time to time. |
|
| Back to top |
|
Alucard
Joined: 13 Feb 2008
Posts: 116
|
| Posted: Thu Feb 04, 2010 3:49 pm Post subject: |
|
|
+1 for abuse@linode.com, they're very responsive.
make sure to include src & dest IPs as well. |
|
| Back to top |
|
waynemr
Joined: 10 Dec 2009
Posts: 7
|
| Posted: Thu Feb 04, 2010 5:35 pm Post subject: |
|
|
| Yes, they responded right away and in fact, they had already been alerted earlier about the trouble boxes and had already been working with them to address the issue. I was very impressed! :D |
|
| Back to top |
|
Key
Joined: 31 Jan 2010
Posts: 17
|
| Posted: Sat Feb 06, 2010 6:02 pm Post subject: |
|
|
waynemr wrote: Yes, they responded right away
Always reassuring to know, After reading this i installed DenyHost and im hoping nothing like this happens to me! |
|
| Back to top |
|
| |
