ShellBot Uses Hex IPs to Evade Detection in Attacks on Linux SSH Servers - eviltoast

From The Hacker News

  • Shdwdrgn@mander.xyz
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Hmm I keep hearing about it but haven’t looked into it. One thing I have set up between my systems if they share the blocked IPs with each other so every server drops a blocked address at the same time… I assume crowdsec has something similar for local sharing so I don’t have to wait for a blocked IP to be sent to them, added to the database, and sent back to my local machines again?

    • StarDreamer@lemmy.blahaj.zone
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      1 year ago

      One way to do this would be set up crowdsec bouncers on each server but only run a single instance of the crowdsec daemon. Send all logs to the daemon and let it communicate with all the bouncers.