Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-security

From: David vasil <vasil@××××××.edu>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] [OT?] automatically firewalling off IPs
Date: Mon, 31 Oct 2011 03:56:02
Message-Id: 43412B8F.5040207@cs.utk.edu
In Reply to: Re: [gentoo-security] [OT?] automatically firewalling off IPs by MaxieZ
1 MaxieZ wrote:
2 > On Mon, Oct 03, 2005 at 10:10:16AM +1300, Jeremy Brake wrote:
3 >
4 >>Hey all,
5 >>
6 >>I'm looking for an app/script which can monitor for failed ssh logins,
7 >>and block using IPTables for $time after $number of failed logins (an
8 >>exclusion list would be handy as well) so that I can put a quick stop to
9 >>these niggly brute-force ssh "attacks" I seem to be getting more and
10 >>more often.
11 >
12 > http://kodu.neti.ee/~risto/sec/
13
14 Jeremy,
15 I agree with MaxieZ, a combination of SEC and Iptables work nicely in
16 this situation and could be extended to other services like FTP, IMAP,
17 Web authentication, etc. I personally do not feel that security through
18 obscurity by changing the port numbers is a viable solution. Here is
19 what I do:
20
21 First, I have SEC scanning my logs using the two rules from the attached
22 sec.rules file. The first rule looks for connections to the sshd port
23 that do not send an identification string. If it sees this message in
24 syslog, it then uses iptables to insert a rule to drop all packets from
25 the source address. The second rule looks for attempted logins using an
26 invalid user id. It then creates an iptables rule like the first one.
27 I added in a commented out action line for both of those rules which
28 creates a 24 hour context, which after 24 hours will delete the iptable
29 rule it created for that ip address.
30
31 Second, I have three normal iptables rules which rate limit the number
32 of connections to port 22. This is to defend against brute force
33 attacks on a valid account.
34
35 # iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m
36 recent --update --seconds 600 --hitcount 2 -j LOG --log-level 4
37 --log-prefix "iptables-drop: "
38 # iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m
39 recent --update --seconds 600 --hitcount 2 -j DROP
40 # iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m
41 recent --set
42
43 I highly recommend SEC for this type of log monitoring.
44
45 -dave

Attachments

File name MIME type
sec.rules text/plain

Replies

Subject Author
Re: [gentoo-security] [OT?] automatically firewalling off IPs rpfc@××××××××××××.pt
Report Message
Find on MARC Find on Google Groups