Not only are bots trying to beat on sshd, but they were also annoying me with comment spam.
Only 4 attempts per hour to talk to sshd so far. That will pick up.
$ uptime && iptables -vnL | grep tcp\ dpt\:22
11:29:15 up 18:45, 1 user, load average: 0.00, 0.01, 0.05
74 3456 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
Inspired by http://mywifequitherjob.com/how-to-prevent-comment-spam-from-crashing-your-wordpress-blog-and-taking-down-your-server/, I installed the Cookies for Comments WordPress plugin and made one tweak to my lighttpd.conf
$HTTP["url"] =~ "^/wp-comments-post.php.*$" {
$HTTP["cookie"] !~ ".*f88ca0021aa9ade19e8258a9d4637c66.*" {
url.access-deny = ( "" )
}
}
$HTTP["url"] =~ "^/wp-login.php.*$" {
$HTTP["cookie"] !~ ".*f88ca0021aa9ade19e8258a9d4637c66.*" {
url.access-deny = ( "" )
}
}
$HTTP["url"] =~ "^/xmlrpc.php.*$" {
url.access-deny = ( "" )
}
That’s the real cookie value for this site, this is what it’s for if you see it in the cookies list, and you can see where it shows up in the source code of this page. Bonus points when, after seeing some log entries for some of these, I realized it would also work for simple brute-force login robots as well. Scope creep as a feature!
If you are trying to GET/POST the comments .php file, AND you don’t have this cookie value set, then go straight to 403 Forbidden. Do not load php and jam up system resources, do not try to show a nice error message.
Will now go open up comments the way I wanted to originally and wait and see if this means problem solved or at least significantly reduced.
Future development, if it becomes more of a problem: Fail2ban, perhaps working an iptables tarpit.