I have setup a good iptable firewall script on my GATEWAY machine (Linux 2.6xx) and rules for my internet NIC is:

ipt -A INPUT -i $INET_IFACE -m state --state NEW -j LOG --log-prefix "INPUT_IFACE_NEW: "
ipt -A INPUT -i $INET_IFACE -m state --state NEW -j DROP
ipt -A INPUT -i $INET_IFACE -m state --state INVALID,NEW -j LOG --log-prefix "INPUT_IFACE_NEW_INVALID: "
ipt -A INPUT -i $INET_IFACE -m state --state INVALID,NEW -j DROP

I use this nice open source product which alerts me of port scans:

http://www.cipherdyne.org/projects/psad/

I'm continuously recieving alerts for this IP Address from chinese source:

221.203.145.54

I have also added this IP in /ets/hosts.deny

what else can i do to stop this nuisance atleast from this IP. earlier i was under dictionary attack on my SSH port from chinese and i fixed by changing the port for SSH and using open source solution like DenyHosts.

It seems to have a significant history of abuse.

what else can i do to stop this nuisance atleast from this IP.
Support for tcpwrappers (HostsDeny) isn't used by all applications, but you can completely ban all traffic with iptables using:
iptables -I INPUT -s 221.203.145.54 -j DROP

earlier i was under dictionary attack on my SSH port from chinese and i fixed by changing the port for SSH and using open source solution like DenyHosts.
Changing the port is effective in cutting the number of attacks, but you might want to switch to using key-based authentication rather than passwords. There also are a number of alternate solutions you may want to checkout in the thread on "Failed SSH Logins" at the top of the forum.

I have only ssh running on 0.0.0.0 other services are binded to local LAN thats why i used 2nd level of security like tcp wrappers. maybe i'm too paranoid


Changing the port is effective in cutting the number of attacks, but you might want to switch to using key-based authentication rather than passwords. There also are a number of alternate solutions you may want to checkout in the thread on "Failed SSH Logins" at the top of the forum.

actually i have some variable clients who use WinSCP to connect to my SSH to download my application builds. it's easier form me to jus give them user/pass rather than breaking my head to show them how to generate public private pair and hand over the public key to me and give them my public key.

what u say buddy?
anywayz will check the thread

TIA

You could probably benefit from using scponly, which is essentially an ssh wrapper that allows only scp transfers. Here's the website: http://www.sublimation.org/scponly/. You can enable it by specifying it as the remote user's login shell. Keeping with defense in depth, this wouldn't give out a remote shell for the clients who only need scp, making a successful dictionary attack essentially futile (as long as the compromised user doesn't have write capability). It would still leave any administrative accounts vulnerable, though, without switching over completely to public/private keypair auth.

I give only SFTP access to my SSH server with chrooted environment. The shell for allusers is set to /usr/local/libexec/sftp-server

anywayz thnks for replies. maybe i'm too much paranoid.

just wanted to know any new things security experts here use. You see i'm just a young Linux admin in his 20's, single handedly configured & now managing my company's Gateway squid proxy ,Qmail server and one Linux Samab PDC. so wanna learn lot of new stuff and open source rox

In that case I recommend that you disable direct root access by setting PermitRootLogin to "no' (make sure it's uncommented as well). Make sure that you are using a decent password policy (not dictionary words). You can even reduce the number of MaxAuthTries which will bog down a brute force attempt.