[BlueOnyx:11956] Re: Blocking brute force SSH login attempts
Greg Kuhnert
gkuhnert at compassnetworks.com.au
Wed Jan 9 14:51:34 -05 2013
Absolutely a good solution... but there are so many attack vectors. DFIX does an aggregate analysis of SSH attacks, and FTP attacks, and SMTP, and IMAP and POP, and even some web attack vectors etc etc... The threshold to block a user is a combination of all of the above. Yes it does take some CPU cycles - but it was designed to be fairly light weight over all. I still agree the iptables rules are good as a first line of defence - but there's more to look at than just the frequency of SYN requests to keep your server secure.
Regards,
Greg.
On 10/01/2013, at 6:32 AM, James <james at slor.net> wrote:
> I’m with you Chuck. Sticking those rules in an init script seems like a nice clean way to monitor and block.
>
> Thanks Gerald
>
> From: blueonyx-bounces at mail.blueonyx.it [mailto:blueonyx-bounces at mail.blueonyx.it] On Behalf Of Chuck Tetlow
> Sent: Wednesday, January 09, 2013 1:46 PM
> To: BlueOnyx General Mailing List
> Subject: [BlueOnyx:11952] Re: Blocking brute force SSH login attempts
>
> Interesting Gerald. VERY interesting!
>
> Those rules use some stuff that is new to me. And if those rules work - they'd be a GREAT asset to prevent hacking attempts. Much better than DFIX or mod_abl, since they do it in real-time and IPTables runs more efficiently than those programs in user-space.
>
> Have you tested these rules Gerald? Because if those rules work as intended - this could be the answer to our problems with people trying to hack in via FTP and POP. I'm not concerned about SSH, because I got tired of hacking attempts years ago and blocked TCP 22 and 23 at our front-door router (and switched SSH to a odd-ball port for access). But I think we're all still seeing those multiple-attempt-per-second scans trying to get valid usernames and guess passwords. These IPTables rules could put a end to that, and the DOS it causes when Dovecot goes down.
>
> Oh, and have you tried to log those actions? Like logging the DROP before doing it? I'd like to see some logging actions on what IPTables drops - both so we could know its working and so we could insure that its not the cause of a user issue.
>
> Thanks Gerald. I'm looking forward to playing with these rules and maybe improving our security.
>
>
>
> Chuck
>
>
>
>
> --------- Original Message -----------
> From: Gerald Waugh <gwaugh at frontstreetnetworks.com>
> To: BlueOnyx General Mailing List <blueonyx at mail.blueonyx.it>
> Sent: Wed, 09 Jan 2013 11:23:41 -0600
> Subject: [BlueOnyx:11950] Re: Blocking brute force SSH login attempts
>
> > On 01/09/2013 08:07 AM, James wrote:
>
> >
> > Is there a simple way in BlueOnyx to auto-block hosts that fail to login via SSH too many times? Something similar to the Failed Logins settings for the BlueOnyx login page but for SSH?
> I use catches attacks in real times, below uses 8 attempts in 60 seconds, of course you can change those parameters
> >
> > /sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
> >
> > /sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP
> >
> > --
> > Gerald
> ------- End of Original Message -------
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20130110/9e6c1c39/attachment.html>
More information about the Blueonyx
mailing list