| 1 |
Hello, I think you might find this useful: |
| 2 |
|
| 3 |
iptables -N REJECT-SSH |
| 4 |
iptables -A REJECT-SSH -j DROP -m recent --rcheck --name SSH --seconds 60 |
| 5 |
--hitcount 10 |
| 6 |
iptables -A REJECT-SSH -j LOG --log-prefix SSH-Bruteforce: |
| 7 |
iptables -A REJECT-SSH -j REJECT -p tcp --reject-with tcp-reset |
| 8 |
iptables -A REJECT-SSH -j REJECT |
| 9 |
|
| 10 |
iptables -A FORWARD -p tcp --dport 22 -m state --state NEW -m recent |
| 11 |
--update --name SSH --seconds 60 --hitcount 4 -j REJECT-SSH |
| 12 |
iptables -A FORWARD -p tcp --dport 22 -m state --state NEW -m recent --set |
| 13 |
--name SSH |
| 14 |
|
| 15 |
When someone tries to bruteforce my ssh host, this rule blocks ssh |
| 16 |
connections from the |
| 17 |
ip address of the atacker after the fourth connection in a 60 seconds |
| 18 |
period. The source address of the atacker will be blocked until he |
| 19 |
stops and... uh... rest for 60 seconds. |
| 20 |
|
| 21 |
|
| 22 |
On 10/25/06, Kwon <kwon@××××××××××.org> wrote: |
| 23 |
> |
| 24 |
> > Set PermitRootLogin to no |
| 25 |
> > Disallow password logins |
| 26 |
> > Use DSA keys. |
| 27 |
> > Move the SSHD port to something other than 22 (security by obscurity). |
| 28 |
> > Yes, we all know that someone will find it, but that someone will be 1 |
| 29 |
> > in 1000 rather than all 1000 hitting the port. |
| 30 |
> How about the technique of port knocking! Try this site: |
| 31 |
> http://en.wikipedia.org/wiki/Port_knocking It explains quite well! |
| 32 |
> |
| 33 |
> -- |
| 34 |
> gentoo-hardened@g.o mailing list |
| 35 |
> |
| 36 |
> |
Archives