From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.etorok.net (mail.etorok.net [IPv6:2a01:4f8:160:1223::beef:2]) by huchra.bufferbloat.net (Postfix) with ESMTP id 250CE21F1AA for ; Sun, 13 Jan 2013 01:15:34 -0800 (PST) Received: from [IPv6:2a02:2f02:1022:9237:1e6f:65ff:fe23:db0d] (unknown [IPv6:2a02:2f02:1022:9237:1e6f:65ff:fe23:db0d]) by mail.etorok.net (Postfix) with ESMTPSA id A21B546B4 for ; Sun, 13 Jan 2013 10:15:33 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=etorok.net; s=MAILOUT; t=1358068533; bh=wRjP4AcoyemCqkgTPyKYeZ+mgH3yt5FJbNuikmmnZn0=; h=Message-ID:Date:From:MIME-Version:To:Subject:References: In-Reply-To:Content-Type:Content-Transfer-Encoding; b=aYst7KakiF8rxgW0L7izUEVTZaAzoaN9dF90HO4NL0NshwgN2n+ngun4fPzZ4lI3+ uTlKL0L5PEAh1Ar5fnpl9/bExM5dvetPoXVUvY0JJfft1INGGwQIqpYzI6eBQpEhN6 q9iP9/47WE4u8hG6PiOy95OL/nrYsV5ObK3FQHdA= Message-ID: <50F27B34.503@etorok.net> Date: Sun, 13 Jan 2013 11:15:32 +0200 From: =?ISO-8859-1?Q?T=F6r=F6k_Edwin?= User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.11) Gecko/20121122 Icedove/10.0.11 MIME-Version: 1.0 To: cerowrt-devel@lists.bufferbloat.net References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 0.97.6 at mail X-Virus-Status: Clean Subject: Re: [Cerowrt-devel] blocking probes... X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Jan 2013 09:15:35 -0000 On 01/13/2013 06:50 AM, Dave Taht wrote: > one of the underused features of cerowrt is that I stuck a sensor on > xinetd to detect attempts to telnet or ftp to the router and cut off > access to some other services, notably ssh. I don't see this on my cerowrt, is this only in the 3.7.x series? > > I would have loved to extend this facility to either do it entirely in > iptables or leverage xinetd to talk to iptables to (for example) > disable access to the web server. > > I'm curious if anyone elses server logs ever show something like this > in the Real World: > > Jan 12 20:44:02 europa daemon.crit xinetd[3273]: 3273 {process_sensor} > Adding 190.185.12.121 to the global_no_access list for 120 minutes > > And I'm curious as to what more fully blown tools like this already exist. > I'm using fail2ban on my server (not the router), and see between 2-7 of these bans/day: Jan 13 03:34:28 sshd[22392]: Did not receive identification string from 83.231.93.133 Jan 13 04:03:05 sshd[23167]: Invalid user delta from 83.231.93.133 Jan 13 04:03:05 sshd[23170]: Invalid user admin from 83.231.93.133 2013-01-13 04:03:06,376 fail2ban.actions: WARNING [ssh] Ban 83.231.93.133 2013-01-13 07:47:21,738 fail2ban.actions: WARNING [ssh] Unban 66.135.32.170 --Edwin