I ran across a bit of iptables that claims to slow down the ssh dictionary attacks we've all been seeing in our logs. Anyone care to analyse this?
SSH -A PREROUTING -m tcp -p tcp -d $EXTERNAL --dport 22 -m recent --rcheck --hitcount 3 --seconds 600 -j LOG --log-prefix "SSH attack: " -A PREROUTING -m tcp -p tcp -d $EXTERNAL --dport 22 -m recent --rcheck --hitcount 3 --seconds 600 -j DROP -A PREROUTING -m tcp -p tcp -d $EXTERNAL --dport 22 -m recent --set -j DNAT --to-destination $INTERNAL:22 -A OUTPUT -m tcp -p tcp -d $EXTERNAL --dport 22 -j DNAT --to-destination $INTERNAL:22 "This will drop all incoming SSH requests from an individual IP after 3 attempts are made within ten minutes, for ten minutes, and log the attempt to the syslog. This is a forwarded example but the same thing will work on the input chain." Source: one of the comments on http://www.whitedust.net/article/27/Recent%20SSH%20Brute-Force%20Attacks/ -- Joey Kelly < Minister of the Gospel | Linux Consultant > http://joeykelly.net "I may have invented it, but Bill made it famous." --- David Bradley, the IBM employee that invented CTRL-ALT-DEL -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/general_brlug.net/attachments/20050717/03e4d677/attachment.bin From [EMAIL PROTECTED] Sun Jul 17 09:17:23 2005 From: [EMAIL PROTECTED] (Dennis) Date: Sun Jul 17 09:16:58 2005 Subject: [brlug-general] slowing down ssh attacks In-Reply-To: <[EMAIL PROTECTED]> References: <[EMAIL PROTECTED]> Message-ID: <[EMAIL PROTECTED]> I don't know much about IP Chains, but could this lock somebody out of the computer quickly if they used scp several times in a ten minute period? - Dennis On 7/17/05, Joey Kelly <[EMAIL PROTECTED]> wrote: > > I ran across a bit of iptables that claims to slow down the ssh dictionary > attacks we've all been seeing in our logs. Anyone care to analyse this? > > SSH -A PREROUTING -m tcp -p tcp -d $EXTERNAL --dport 22 -m recent --rcheck > --hitcount 3 --seconds 600 -j LOG --log-prefix "SSH attack: " -A > PREROUTING > -m tcp -p tcp -d $EXTERNAL --dport 22 -m recent --rcheck --hitcount 3 > --seconds 600 -j DROP -A PREROUTING -m tcp -p tcp -d $EXTERNAL --dport 22 > -m > recent --set -j DNAT --to-destination $INTERNAL:22 -A OUTPUT -m tcp -p tcp > -d > $EXTERNAL --dport 22 -j DNAT --to-destination $INTERNAL:22 > > "This will drop all incoming SSH requests from an individual IP after 3 > attempts are made within ten minutes, for ten minutes, and log the attempt > to > the syslog. This is a forwarded example but the same thing will work on > the > input chain." > > Source: one of the comments on > http://www.whitedust.net/article/27/Recent%20SSH%20Brute-Force%20Attacks/ > > -- > Joey Kelly > < Minister of the Gospel | Linux Consultant > > http://joeykelly.net > > "I may have invented it, but Bill made it famous." > --- David Bradley, the IBM employee that invented CTRL-ALT-DEL > > > _______________________________________________ > General mailing list > General@brlug.net > http://brlug.net/mailman/listinfo/general_brlug.net > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: /pipermail/general_brlug.net/attachments/20050717/78ae2846/attachment-0001.htm From [EMAIL PROTECTED] Sun Jul 17 10:39:06 2005 From: [EMAIL PROTECTED] (Joey Kelly) Date: Sun Jul 17 10:40:58 2005 Subject: [brlug-general] slowing down ssh attacks In-Reply-To: <[EMAIL PROTECTED]> References: <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> Message-ID: <[EMAIL PROTECTED]> On Sunday July 17 2005 09:17, Dennis spake: > I don't know much about IP Chains, but could this lock somebody out of the > computer quickly if they used scp several times in a ten minute period? I know *I'm* not going to blow my password on three attempts. Likewise anyone I trust with an account. -- Joey Kelly < Minister of the Gospel | Linux Consultant > http://joeykelly.net "I may have invented it, but Bill made it famous." --- David Bradley, the IBM employee that invented CTRL-ALT-DEL -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/general_brlug.net/attachments/20050717/474bc64f/attachment.bin From [EMAIL PROTECTED] Sun Jul 17 11:04:28 2005 From: [EMAIL PROTECTED] (Will Hill) Date: Sun Jul 17 11:04:08 2005 Subject: [brlug-general] slowing down ssh attacks In-Reply-To: <[EMAIL PROTECTED]> References: <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> Message-ID: <[EMAIL PROTECTED]> But can someone blow it for you? Can they spoof your IP address? On Sunday 17 July 2005 10:39 am, Joey Kelly wrote: > I know *I'm* not going to blow my password on three attempts. Likewise > anyone I trust with an account.
