[PLUG] IPtables internal port forwarding

[chris (fool) mccraw]

On Wed, May 6, 2009 at 15:50, Rich Shepard <rshepard at appl-ecosys.com> wrote:
> On Wed, 6 May 2009, chris (fool) mccraw wrote:
>
>> i rolled this out after i got tired of playing whack-a-mole and to my
>> delight discovered that no scanner in the past 8 months (since i rolled it
>> out) continues to scan more than a handful of times after the connection
>> is refused.
>
>   On the advice of many, I installed denyhosts here and it works like a
> charm. However, I still see dozens to hundreds of attempts from the same IP
> address to ssh in and even more trying brute force attacks to find a valid
> username.

interesting!  i get scanned several times a day and have yet to see
one that keeps going after a few "connection refused"s.  i figured
there were no more than a couple of types of scanners (seemed likely
there are at least that many--one tries a lot of passwords per
connection and one only tries one;  one cycles through a list of
account names from a-z and another just tries root@ a lot, etc).  the
most infuriating for me now are some occasional "distributed"
scans--no more than one connection attempt per IP, runs at a
trickle-flow instead of mass-blast.  those foil denyhosts like a slow
knife foils a shield from Herbert's _Dune_.  they worry me a lot more
because it seems like an extra level of sophistication to have your
botnet scan me!

if only i could get denyhosts to parse proftpd logs.  because those
scans still carry on for hours unless i happen to flip past the syslog
window while they're in progress.