"Fossies" - the Fresh Open Source Software Archive

Member "sshdfilter-1.5.7/todo" (8 Apr 2007, 1287 Bytes) of package /linux/privat/old/sshdfilter-1.5.7.tar.gz:

As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file.

A hint: This file contains one or more very long lines, so maybe it is better readable using the pure text view mode that shows the contents as wrapped lines within the browser window.

    1 Todo:
    3 iptables can do more than just block the given IP, it can be used to turn the attacker onto themselves. The moment an IP is considered hostile, an iptables DNAT can be used to redirect their ssh login requests to themselves. Chances are that IP will be listening because that is how their machine was infected in the first place.
    5 An initial iptables command such as this:
    6 iptables -I FORWARD -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT
    7 will enable support, and then
    8 iptables -t nat -A PREROUTING -p tcp -m tcp --dport 22 -i eth1 -j DNAT -s <IP> --to <IP>
    9 will redirect any ssh traffic from <IP>, to <IP>.
   11 Pros:
   12 1. Wastes attackers time, it is their logs that are filled with failure messages.
   13 2. The attack on the attackers machine will be successful, probably leading to the real attacker being given your IP as a penetrated machine, making it a much bigger time waster when he tries to login to your machine and fails.
   15 Cons:
   16 1. Relaying the login attempts wastes your bandwidth.
   17 2. Legally it could be considered hacking.
   18 3. Some ISPs monitor outgoing ssh connection requests, a high frequency of outgoing connections suggests you've been hacked. ISPs have been known to telephone the source of sshd brute force attacks (ie. their customers) and suggest they've been hacked.