| 1 |
> Jeremy Brake wrote: |
| 2 |
> |
| 3 |
> I'm looking for an app/script which can monitor for failed ssh logins, |
| 4 |
> and block using IPTables for $time after $number of failed logins (an |
| 5 |
> exclusion list would be handy as well) so that I can put a quick stop to |
| 6 |
> these niggly brute-force ssh "attacks" I seem to be getting more and |
| 7 |
> more often. |
| 8 |
|
| 9 |
These are the rules that I'm using. |
| 10 |
|
| 11 |
# Track connections to SSH |
| 12 |
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --tcp-flags FIN,ACK |
| 13 |
FIN,ACK \ |
| 14 |
--dport 22 -m recent --name SSH --set |
| 15 |
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --tcp-flags RST RST \ |
| 16 |
--dport 22 -m recent --name SSH --set |
| 17 |
|
| 18 |
# Drop if connection rate exceeds 4/minute |
| 19 |
-A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \ |
| 20 |
--rcheck --seconds 60 --hitcount 4 -m limit -j LOG --log-prefix |
| 21 |
"SSH_limit: " |
| 22 |
-A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \ |
| 23 |
--rcheck --seconds 60 --hitcount 4 -j DROP |
| 24 |
|
| 25 |
# Drop if connection rate exceeds 20/hour |
| 26 |
-A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \ |
| 27 |
--rcheck --seconds 3600 --hitcount 20 -m limit -j LOG --log-prefix |
| 28 |
"SSH_limit: " |
| 29 |
-A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \ |
| 30 |
--rcheck --seconds 3600 --hitcount 20 -j DROP |
| 31 |
|
| 32 |
-Tad |
| 33 |
|
| 34 |
-- |
| 35 |
gentoo-security@g.o mailing list |
Archives