Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-user

From: Bertram Scharpf <lists@×××××××××××××××.de>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] Break In attempts
Date: Sun, 07 Oct 2007 12:27:42
Message-Id: 20071007120935.GA7702@bart.simpsons.bs.loc
In Reply to: [gentoo-user] Break In attempts by Mick
1 Hi,
2
3 Am Sonntag, 07. Okt 2007, 10:40:10 +0100 schrieb Mick:
4 > Can you please advise what I could do to block IP addresses that have
5 > repeatedly failed to log in? I am looking here at a server which over the
6 > last week is being attacked daily with random usernames. So the only
7 > constant in these repeated attempts is not the username, but the IP address.
8 > Occasionally, the odd service name (e.g. rpc, mysql, postgres, etc.) repeats
9 > itself, otherwise they seem to be randomly selected from a dictionary.
10
11 This is a _real_ nuisance. Besides that I doubt there is any
12 meaningful harvest.
13
14 > I have already disabled PAM authentication on sshd so that only users with a
15 > public key in their ~/.ssh can login.
16
17 Host-based authentication is one possible solution. Fail2ban
18 was already mentioned, too.
19
20 A bit more difficult is the ban by iptables. This one is
21 working here successfully for quite some time:
22
23 SSH_WHITELIST="192.168.0.0/16 11.22.33.44"
24
25 IPT='/sbin/iptables -v'
26
27 iptsshdefence()
28 {
29 $IPT -N sshwhite
30 for t in $SSH_WHITELIST
31 do
32 $IPT -A sshwhite -s $t -m recent --remove --name SSH -j ACCEPT
33 done
34
35 # $IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j LOG --log-prefix 'SSH request '
36 $IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
37 $IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j sshwhite
38 # $IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix 'SSH brute_force '
39 $IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j REJECT
40 }
41
42 Of course you need a kernel with recent module and reject
43 target support compiled in.
44
45 Thanks a lot again to this list!
46
47 Bertram
48
49
50 --
51 Bertram Scharpf
52 Stuttgart, Deutschland/Germany
53 http://www.bertram-scharpf.de
54 --
55 gentoo-user@g.o mailing list
Report Message
Find on MARC Find on Google Groups