From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1L812j-0001jG-Ov for garchives@archives.gentoo.org; Wed, 03 Dec 2008 23:22:05 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 613DDE05A5; Wed, 3 Dec 2008 23:21:25 +0000 (UTC) Received: from wf-out-1314.google.com (wf-out-1314.google.com [209.85.200.173]) by pigeon.gentoo.org (Postfix) with ESMTP id 2D343E05A5 for ; Wed, 3 Dec 2008 23:21:25 +0000 (UTC) Received: by wf-out-1314.google.com with SMTP id 29so3870587wff.10 for ; Wed, 03 Dec 2008 15:21:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:sender :to:subject:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references :x-google-sender-auth; bh=km1v6dOxWrB5Q9kottY0Ee3TrsGU1LD/90Xbpm4RCDE=; b=azFZ3iQp/3afj+6ioQ+LTNy7Dz8gpKbxRVKnAY4+I+vP+dA6OtD+NTfxdBVKKYCz5Z DlqKvuoWQESqiGAR9vn5L1DqUEVOTb0pSkrqfcgt+GMVMcQ7E/WmCmvHFaDY3/5WZpJZ S5q1rgLn+1kOs5pRTRpkPUQINOvM5qf0nXOXM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:sender:to:subject:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references:x-google-sender-auth; b=eTjua21pc2OIbZ+diANT1MThIUARg7kBkoCgnKuuy3G2duI8TBX9Wfb2jiF2Rn7I6+ +E2b1/SS2khpEISJnnqJqfMRWkEoltn7twvAzqlKAOA05hCabE4kf4RUK2QrJHkC1QAW 45jCkYv8qnTcfRSnu6+/7i4yJ/FFQIYud+PV0= Received: by 10.142.48.3 with SMTP id v3mr5617833wfv.0.1228346484455; Wed, 03 Dec 2008 15:21:24 -0800 (PST) Received: by 10.142.230.6 with HTTP; Wed, 3 Dec 2008 15:21:24 -0800 (PST) Message-ID: <58965d8a0812031521o18e02b1cq17ba380a4666084e@mail.gmail.com> Date: Wed, 3 Dec 2008 17:21:24 -0600 From: "Paul Hartman" Sender: paul.hartman@gmail.com To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Curious pattern in log files from ssh... In-Reply-To: <49370E5B.2030000@shic.co.uk> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <4936E5E3.1040606@shic.co.uk> <200812031403.41731.dmitry@athabascau.ca> <4936FE82.9070509@shic.co.uk> <200812031511.34593.dmitry@athabascau.ca> <49370E5B.2030000@shic.co.uk> X-Google-Sender-Auth: 55b637cb55151b3c X-Archives-Salt: 71dd4b57-c27a-41fc-bb00-49cd3461132b X-Archives-Hash: fb2a9e76fd3cd272615c1b1cdc915eaa On Wed, Dec 3, 2008 at 4:55 PM, Steve wrote: > Dmitry S. Makovey wrote: >> P.S. I actually don't do any of the above. It was just a surge of creative paranoia >> in response to initial request :) > All good ideas - except selling the blacklist... I'd be happiest to > share my blacklist for free... my objective is to minimise exposure to > botnets - rather than to accept another level of complexity with > legitimate use. I think using Dmitry's idea of rejecting the first 2 connections, but then allowing it as normal on the third attempt would satisfy your requirements for being on the normal port, allowing all IPs and requiring no special setup on the client end (other than knowing they have to to retry twice). Of course, this is assuming the botnet stops after rejected connections...