Gentoo Archives: gentoo-security

From: David vasil <vasil@××××××.edu>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] [OT?] automatically firewalling off IPs
Date: Mon, 31 Oct 2011 03:56:02
In Reply to: Re: [gentoo-security] [OT?] automatically firewalling off IPs by MaxieZ
MaxieZ wrote:
> On Mon, Oct 03, 2005 at 10:10:16AM +1300, Jeremy Brake wrote: > >>Hey all, >> >>I'm looking for an app/script which can monitor for failed ssh logins, >>and block using IPTables for $time after $number of failed logins (an >>exclusion list would be handy as well) so that I can put a quick stop to >>these niggly brute-force ssh "attacks" I seem to be getting more and >>more often. > >
Jeremy, I agree with MaxieZ, a combination of SEC and Iptables work nicely in this situation and could be extended to other services like FTP, IMAP, Web authentication, etc. I personally do not feel that security through obscurity by changing the port numbers is a viable solution. Here is what I do: First, I have SEC scanning my logs using the two rules from the attached sec.rules file. The first rule looks for connections to the sshd port that do not send an identification string. If it sees this message in syslog, it then uses iptables to insert a rule to drop all packets from the source address. The second rule looks for attempted logins using an invalid user id. It then creates an iptables rule like the first one. I added in a commented out action line for both of those rules which creates a 24 hour context, which after 24 hours will delete the iptable rule it created for that ip address. Second, I have three normal iptables rules which rate limit the number of connections to port 22. This is to defend against brute force attacks on a valid account. # iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 600 --hitcount 2 -j LOG --log-level 4 --log-prefix "iptables-drop: " # iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 600 --hitcount 2 -j DROP # iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set I highly recommend SEC for this type of log monitoring. -dave


File name MIME type
sec.rules text/plain


Subject Author
Re: [gentoo-security] [OT?] automatically firewalling off IPs rpfc@××××××××××××.pt