On Sunday 01 April 2007 14:03, Daniel Iliev wrote: > Hi, guys > > Recently I was looking through my logs when I got pissed off (again) by > the big number of lines showing something like 'sshd: auth. error: > unknown user "XXX" from "some IP address"'. I wrote a script which > automatically sets all connections from those IP addresses to be > dropped. Next I decided to change "-j DROP" with "-j TARPIT" and I > realized that gentoo-sources doesn't provide the netfilter target "TARPIT". > > My question: what is the best way get this iptables module working w/o > diverting too much from the official Gentoo installation. I mean the > normal way is to use patch-o-matic to patch iptables source and vanilla > kernel source, then build and install. I have the feeling that it is not > exactly the right thing to with Gentoo. > > Any advices would be much appreciated.
Given that others have already replied how patch the kernel, here's a somewhat indirect answer which may resolve the route cause: Are you using passwd authentication? I wonder if the logs would still be filling up by such botnets if you had allowed only 'PubkeyAuthentication yes'. The other thing to consider is changing the default ssh port 22 to some other random port which is not hit as frequently by botnets, only by more comprehensive port scans. Then remove your iptables LOG rule for port 22 (if you have one) and you should get rid of almost all related messages. HTH. -- Regards, Mick
pgpa1OovfXByf.pgp
Description: PGP signature
