1 |
Hello, I think you might find this useful: |
2 |
|
3 |
iptables -N REJECT-SSH |
4 |
iptables -A REJECT-SSH -j DROP -m recent --rcheck --name SSH --seconds 60 |
5 |
--hitcount 10 |
6 |
iptables -A REJECT-SSH -j LOG --log-prefix SSH-Bruteforce: |
7 |
iptables -A REJECT-SSH -j REJECT -p tcp --reject-with tcp-reset |
8 |
iptables -A REJECT-SSH -j REJECT |
9 |
|
10 |
iptables -A FORWARD -p tcp --dport 22 -m state --state NEW -m recent |
11 |
--update --name SSH --seconds 60 --hitcount 4 -j REJECT-SSH |
12 |
iptables -A FORWARD -p tcp --dport 22 -m state --state NEW -m recent --set |
13 |
--name SSH |
14 |
|
15 |
When someone tries to bruteforce my ssh host, this rule blocks ssh |
16 |
connections from the |
17 |
ip address of the atacker after the fourth connection in a 60 seconds |
18 |
period. The source address of the atacker will be blocked until he |
19 |
stops and... uh... rest for 60 seconds. |
20 |
|
21 |
|
22 |
On 10/25/06, Kwon <kwon@××××××××××.org> wrote: |
23 |
> |
24 |
> > Set PermitRootLogin to no |
25 |
> > Disallow password logins |
26 |
> > Use DSA keys. |
27 |
> > Move the SSHD port to something other than 22 (security by obscurity). |
28 |
> > Yes, we all know that someone will find it, but that someone will be 1 |
29 |
> > in 1000 rather than all 1000 hitting the port. |
30 |
> How about the technique of port knocking! Try this site: |
31 |
> http://en.wikipedia.org/wiki/Port_knocking It explains quite well! |
32 |
> |
33 |
> -- |
34 |
> gentoo-hardened@g.o mailing list |
35 |
> |
36 |
> |