[BlueOnyx:11953] Re: Blocking brute force SSH login attempts

James james at slor.net
Wed Jan 9 14:32:10 -05 2013 

I'm with you Chuck.  Sticking those rules in an init script seems like a
nice clean way to monitor and block.

 

Thanks Gerald

 

From: blueonyx-bounces at mail.blueonyx.it
[mailto:blueonyx-bounces at mail.blueonyx.it] On Behalf Of Chuck Tetlow
Sent: Wednesday, January 09, 2013 1:46 PM
To: BlueOnyx General Mailing List
Subject: [BlueOnyx:11952] Re: Blocking brute force SSH login attempts

 

Interesting Gerald.  VERY interesting! 

Those rules use some stuff that is new to me.  And if those rules work -
they'd be a GREAT asset to prevent hacking attempts.  Much better than DFIX
or mod_abl, since they do it in real-time and IPTables runs more efficiently
than those programs in user-space. 

Have you tested these rules Gerald?  Because if those rules work as intended
- this could be the answer to our problems with people trying to hack in via
FTP and POP.  I'm not concerned about SSH, because I got tired of hacking
attempts years ago and blocked TCP 22 and 23 at our front-door router (and
switched SSH to a odd-ball port for access).  But I think we're all still
seeing those multiple-attempt-per-second scans trying to get valid usernames
and guess passwords.  These IPTables rules could put a end to that, and the
DOS it causes when Dovecot goes down. 

Oh, and have you tried to log those actions?  Like logging the DROP before
doing it?  I'd like to see some logging actions on what IPTables drops -
both so we could know its working and so we could insure that its not the
cause of a user issue. 

Thanks Gerald.  I'm looking forward to playing with these rules and maybe
improving our security. 



Chuck 




--------- Original Message ----------- 
From: Gerald Waugh <gwaugh at frontstreetnetworks.com> 
To: BlueOnyx General Mailing List <blueonyx at mail.blueonyx.it> 
Sent: Wed, 09 Jan 2013 11:23:41 -0600 
Subject: [BlueOnyx:11950] Re: Blocking brute force SSH login attempts 

> On 01/09/2013 08:07 AM, James wrote: 


> 
> Is there a simple way in BlueOnyx to auto-block hosts that fail to login
via SSH too many times?  Something similar to the Failed Logins settings for
the BlueOnyx login page but for SSH? 

I use catches attacks in real times, below uses 8 attempts in 60 seconds, of
course you can change those parameters 
> 
> /sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m
recent --set --name SSH 
> 
> /sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m
recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP 
> 
> -- 
> Gerald 
------- End of Original Message ------- 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20130109/4143ffdb/attachment.html>

More information about the Blueonyx mailing list