I ran across a bit of iptables that claims to slow down the ssh dictionary
attacks we've all been seeing in our logs. Anyone care to analyse this?
SSH -A PREROUTING -m tcp -p tcp -d $EXTERNAL --dport 22 -m recent --rcheck
--hitcount 3 --seconds 600 -j LOG --log-prefix "SSH attack: " -A PREROUTING
-m tcp -p tcp -d $EXTERNAL --dport 22 -m recent --rcheck --hitcount 3
--seconds 600 -j DROP -A PREROUTING -m tcp -p tcp -d $EXTERNAL --dport 22 -m
recent --set -j DNAT --to-destination $INTERNAL:22 -A OUTPUT -m tcp -p tcp -d
$EXTERNAL --dport 22 -j DNAT --to-destination $INTERNAL:22
"This will drop all incoming SSH requests from an individual IP after 3
attempts are made within ten minutes, for ten minutes, and log the attempt to
the syslog. This is a forwarded example but the same thing will work on the
input chain."
Source: one of the comments on
http://www.whitedust.net/article/27/Recent%20SSH%20Brute-Force%20Attacks/
-- Joey Kelly < Minister of the Gospel | Linux Consultant > http://joeykelly.net "I may have invented it, but Bill made it famous." --- David Bradley, the IBM employee that invented CTRL-ALT-DEL
___________________
Nolug mailing list
nolug@nolug.org
This archive was generated by hypermail 2.2.0 : 12/19/08 EST