1 |
> Jeremy Brake wrote: |
2 |
> |
3 |
> I'm looking for an app/script which can monitor for failed ssh logins, |
4 |
> and block using IPTables for $time after $number of failed logins (an |
5 |
> exclusion list would be handy as well) so that I can put a quick stop to |
6 |
> these niggly brute-force ssh "attacks" I seem to be getting more and |
7 |
> more often. |
8 |
|
9 |
These are the rules that I'm using. |
10 |
|
11 |
# Track connections to SSH |
12 |
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --tcp-flags FIN,ACK |
13 |
FIN,ACK \ |
14 |
--dport 22 -m recent --name SSH --set |
15 |
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --tcp-flags RST RST \ |
16 |
--dport 22 -m recent --name SSH --set |
17 |
|
18 |
# Drop if connection rate exceeds 4/minute |
19 |
-A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \ |
20 |
--rcheck --seconds 60 --hitcount 4 -m limit -j LOG --log-prefix |
21 |
"SSH_limit: " |
22 |
-A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \ |
23 |
--rcheck --seconds 60 --hitcount 4 -j DROP |
24 |
|
25 |
# Drop if connection rate exceeds 20/hour |
26 |
-A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \ |
27 |
--rcheck --seconds 3600 --hitcount 20 -m limit -j LOG --log-prefix |
28 |
"SSH_limit: " |
29 |
-A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \ |
30 |
--rcheck --seconds 3600 --hitcount 20 -j DROP |
31 |
|
32 |
-Tad |
33 |
|
34 |
-- |
35 |
gentoo-security@g.o mailing list |