[BlueOnyx:11960] Re: Blocking brute force SSH login attempts

Gerald Waugh gwaugh at frontstreetnetworks.com
Wed Jan 9 17:44:25 -05 2013 

On 01/09/2013 04:30 PM, Gerald Waugh wrote:
> On 01/09/2013 12:45 PM, Chuck Tetlow wrote:
>> Interesting Gerald.  VERY interesting!
>>
>> Those rules use some stuff that is new to me.  And if those rules 
>> work - they'd be a GREAT asset to prevent hacking attempts.  Much 
>> better than DFIX or mod_abl, since they do it in real-time and 
>> IPTables runs more efficiently than those programs in user-space.
>>
>> Have you tested these rules Gerald?  Because if those rules work as 
>> intended - this could be the answer to our problems with people 
>> trying to hack in via FTP and POP.  I'm not concerned about SSH, 
>> because I got tired of hacking attempts years ago and blocked TCP 22 
>> and 23 at our front-door router (and switched SSH to a odd-ball port 
>> for access).  But I think we're all still seeing those 
>> multiple-attempt-per-second scans trying to get valid usernames and 
>> guess passwords.  These IPTables rules could put a end to that, and 
>> the DOS it causes when Dovecot goes down.
>>
>> Oh, and have you tried to log those actions?  Like logging the DROP 
>> before doing it?  I'd like to see some logging actions on what 
>> IPTables drops - both so we could know its working and so we could 
>> insure that its not the cause of a user issue.
>>
>> Thanks Gerald.  I'm looking forward to playing with these rules and 
>> maybe improving our security.
>>
> I use these rules on all the servers I maintain, they work, and log to 
> /var/log/messages with "Block SSH Attack "
> just change the port number and log-prefix
>
> /sbin/iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state 
> --state NEW -m recent --set --name SSH --rsource
>
> /sbin/iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state 
> --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name 
> SSH --rsource -j LOG --log-prefix "Block SSH Attack "
>
> /sbin/iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state 
> --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name 
> SSH --rsource -j DROP
>
Oops, I have mine logging to /var/log/iptables
IIRC changed in rsyslog.conf

kern.warning                                            /var/log/iptables

example for SMTP Attack

Dec 20 21:00:02 mail kernel: *Block 25 SMTP Attack* IN=eth0 OUT= 
MAC=d6:f7:c7:cc:13:6b:00:23:04:96:58:46:08:00 SRC=75.75.244.19 
DST=12.181.146.20 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=11242 DF PROTO=TCP 
SPT=41147 DPT=25 WINDOW=14600 RES=0x00 SYN URGP=0



> -- 
> Gerald
>


-- 
Gerald Waugh
Front Street Networks
(318) 734-4779
(318) 401-0428
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20130109/289b9d97/attachment.html>

More information about the Blueonyx mailing list