Gentoo Archives: gentoo-security

From: Tad Glines <tad@××××××.com>
To: gentoo-security@l.g.o
Subject: RE: [gentoo-security] [OT?] automatically firewalling off IPs
Date: Mon, 31 Oct 2011 03:55:49
Message-Id: 000001c5c797$aa732870$0200080a@SPRITE
In Reply to: [gentoo-security] [OT?] automatically firewalling off IPs by Jeremy Brake
> Jeremy Brake wrote: > > I'm looking for an app/script which can monitor for failed ssh logins, > and block using IPTables for $time after $number of failed logins (an > exclusion list would be handy as well) so that I can put a quick stop to > these niggly brute-force ssh "attacks" I seem to be getting more and > more often.
These are the rules that I'm using. # Track connections to SSH -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --tcp-flags FIN,ACK FIN,ACK \ --dport 22 -m recent --name SSH --set -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --tcp-flags RST RST \ --dport 22 -m recent --name SSH --set # Drop if connection rate exceeds 4/minute -A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \ --rcheck --seconds 60 --hitcount 4 -m limit -j LOG --log-prefix "SSH_limit: " -A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \ --rcheck --seconds 60 --hitcount 4 -j DROP # Drop if connection rate exceeds 20/hour -A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \ --rcheck --seconds 3600 --hitcount 20 -m limit -j LOG --log-prefix "SSH_limit: " -A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \ --rcheck --seconds 3600 --hitcount 20 -j DROP -Tad -- gentoo-security@g.o mailing list

Replies

Subject Author
Re: [gentoo-security] [OT?] automatically firewalling off IPs Alex Efros <powerman@×××××××.ua>