[BlueOnyx:11952] Re: Blocking brute force SSH login attempts

Chuck Tetlow chuck at tetlow.net
Wed Jan 9 13:45:37 -05 2013 

Interesting Gerald.  VERY interesting!

Those rules use some stuff that is new to me.  And if those rules work - they'd be a GREAT asset to prevent hacking attempts.  Much better than DFIX or mod_abl, since they do it in real-time and IPTables runs more efficiently than those programs in user-space.

Have you tested these rules Gerald?  Because if those rules work as intended - this could be the answer to our problems with people trying to hack in via FTP and POP.  I'm not concerned about SSH, because I got tired of hacking attempts years ago and blocked TCP 22 and 23 at our front-door router (and switched SSH to a odd-ball port for access).  But I think we're all still seeing those multiple-attempt-per-second scans trying to get valid usernames and guess passwords.  These IPTables rules could put a end to that, and the DOS it causes when Dovecot goes down.

Oh, and have you tried to log those actions?  Like logging the DROP before doing it?  I'd like to see some logging actions on what IPTables drops - both so we could know its working and so we could insure that its not the cause of a user issue.

Thanks Gerald.  I'm looking forward to playing with these rules and maybe improving our security.

Chuck

--------- Original Message -----------
From: Gerald Waugh <gwaugh at frontstreetnetworks.com> 
To: BlueOnyx General Mailing List <blueonyx at mail.blueonyx.it> 
Sent: Wed, 09 Jan 2013 11:23:41 -0600 
Subject: [BlueOnyx:11950] Re: Blocking brute force SSH login attempts

> On 01/09/2013 08:07 AM, James wrote:
> 
> Is there a simple way in BlueOnyx toauto-block hosts that fail to login via SSH too many times? Something similar to the Failed Logins settings for theBlueOnyx login page but for SSH?I use catches attacks in real times, below uses 8 attempts in 60seconds, of course you can change those parameters
> 
> /sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --stateNEW -m recent --set --name SSH
> 
> /sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --stateNEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH-j DROP
> 
> --
> Gerald
------- End of Original Message -------
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20130109/6608837b/attachment.html>

More information about the Blueonyx mailing list