[BlueOnyx:11959] Re: Blocking brute force SSH login attempts

Gerald Waugh gwaugh at frontstreetnetworks.com
Wed Jan 9 17:30:39 -05 2013 

On 01/09/2013 12:45 PM, Chuck Tetlow wrote:
> Interesting Gerald.  VERY interesting!
>
> Those rules use some stuff that is new to me.  And if those rules work 
> - they'd be a GREAT asset to prevent hacking attempts.  Much better 
> than DFIX or mod_abl, since they do it in real-time and IPTables runs 
> more efficiently than those programs in user-space.
>
> Have you tested these rules Gerald?  Because if those rules work as 
> intended - this could be the answer to our problems with people trying 
> to hack in via FTP and POP.  I'm not concerned about SSH, because I 
> got tired of hacking attempts years ago and blocked TCP 22 and 23 at 
> our front-door router (and switched SSH to a odd-ball port for 
> access).  But I think we're all still seeing those 
> multiple-attempt-per-second scans trying to get valid usernames and 
> guess passwords.  These IPTables rules could put a end to that, and 
> the DOS it causes when Dovecot goes down.
>
> Oh, and have you tried to log those actions?  Like logging the DROP 
> before doing it?  I'd like to see some logging actions on what 
> IPTables drops - both so we could know its working and so we could 
> insure that its not the cause of a user issue.
>
> Thanks Gerald.  I'm looking forward to playing with these rules and 
> maybe improving our security.
>
I use these rules on all the servers I maintain, they work, and log to 
/var/log/messages with "Block SSH Attack "
just change the port number and log-prefix

/sbin/iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state 
--state NEW -m recent --set --name SSH --rsource

/sbin/iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state 
--state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name 
SSH --rsource -j LOG --log-prefix "Block SSH Attack "

/sbin/iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state 
--state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name 
SSH --rsource -j DROP

-- 
Gerald

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20130109/1bbe7875/attachment.html>

More information about the Blueonyx mailing list