1 |
Hi, |
2 |
|
3 |
Am Sonntag, 07. Okt 2007, 10:40:10 +0100 schrieb Mick: |
4 |
> Can you please advise what I could do to block IP addresses that have |
5 |
> repeatedly failed to log in? I am looking here at a server which over the |
6 |
> last week is being attacked daily with random usernames. So the only |
7 |
> constant in these repeated attempts is not the username, but the IP address. |
8 |
> Occasionally, the odd service name (e.g. rpc, mysql, postgres, etc.) repeats |
9 |
> itself, otherwise they seem to be randomly selected from a dictionary. |
10 |
|
11 |
This is a _real_ nuisance. Besides that I doubt there is any |
12 |
meaningful harvest. |
13 |
|
14 |
> I have already disabled PAM authentication on sshd so that only users with a |
15 |
> public key in their ~/.ssh can login. |
16 |
|
17 |
Host-based authentication is one possible solution. Fail2ban |
18 |
was already mentioned, too. |
19 |
|
20 |
A bit more difficult is the ban by iptables. This one is |
21 |
working here successfully for quite some time: |
22 |
|
23 |
SSH_WHITELIST="192.168.0.0/16 11.22.33.44" |
24 |
|
25 |
IPT='/sbin/iptables -v' |
26 |
|
27 |
iptsshdefence() |
28 |
{ |
29 |
$IPT -N sshwhite |
30 |
for t in $SSH_WHITELIST |
31 |
do |
32 |
$IPT -A sshwhite -s $t -m recent --remove --name SSH -j ACCEPT |
33 |
done |
34 |
|
35 |
# $IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j LOG --log-prefix 'SSH request ' |
36 |
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH |
37 |
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j sshwhite |
38 |
# $IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix 'SSH brute_force ' |
39 |
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j REJECT |
40 |
} |
41 |
|
42 |
Of course you need a kernel with recent module and reject |
43 |
target support compiled in. |
44 |
|
45 |
Thanks a lot again to this list! |
46 |
|
47 |
Bertram |
48 |
|
49 |
|
50 |
-- |
51 |
Bertram Scharpf |
52 |
Stuttgart, Deutschland/Germany |
53 |
http://www.bertram-scharpf.de |
54 |
-- |
55 |
gentoo-user@g.o mailing list |