1 |
MaxieZ wrote: |
2 |
> On Mon, Oct 03, 2005 at 10:10:16AM +1300, Jeremy Brake wrote: |
3 |
> |
4 |
>>Hey all, |
5 |
>> |
6 |
>>I'm looking for an app/script which can monitor for failed ssh logins, |
7 |
>>and block using IPTables for $time after $number of failed logins (an |
8 |
>>exclusion list would be handy as well) so that I can put a quick stop to |
9 |
>>these niggly brute-force ssh "attacks" I seem to be getting more and |
10 |
>>more often. |
11 |
> |
12 |
> http://kodu.neti.ee/~risto/sec/ |
13 |
|
14 |
Jeremy, |
15 |
I agree with MaxieZ, a combination of SEC and Iptables work nicely in |
16 |
this situation and could be extended to other services like FTP, IMAP, |
17 |
Web authentication, etc. I personally do not feel that security through |
18 |
obscurity by changing the port numbers is a viable solution. Here is |
19 |
what I do: |
20 |
|
21 |
First, I have SEC scanning my logs using the two rules from the attached |
22 |
sec.rules file. The first rule looks for connections to the sshd port |
23 |
that do not send an identification string. If it sees this message in |
24 |
syslog, it then uses iptables to insert a rule to drop all packets from |
25 |
the source address. The second rule looks for attempted logins using an |
26 |
invalid user id. It then creates an iptables rule like the first one. |
27 |
I added in a commented out action line for both of those rules which |
28 |
creates a 24 hour context, which after 24 hours will delete the iptable |
29 |
rule it created for that ip address. |
30 |
|
31 |
Second, I have three normal iptables rules which rate limit the number |
32 |
of connections to port 22. This is to defend against brute force |
33 |
attacks on a valid account. |
34 |
|
35 |
# iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m |
36 |
recent --update --seconds 600 --hitcount 2 -j LOG --log-level 4 |
37 |
--log-prefix "iptables-drop: " |
38 |
# iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m |
39 |
recent --update --seconds 600 --hitcount 2 -j DROP |
40 |
# iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m |
41 |
recent --set |
42 |
|
43 |
I highly recommend SEC for this type of log monitoring. |
44 |
|
45 |
-dave |