On 11/6/06, Grant Kelly <[EMAIL PROTECTED]> wrote:
Trying to blacklist every IP who attempts automated ssh brute force logins is an exercise in futility.
Just whitelist all IPs you and trusted others will be connecting from.
If you habitually connect from unknown remote IPs, you can always go the fun route and hack up a primitive iptables based port knocking implementation. Like so:
/sbin/iptables -N GO-LEVEL2
/sbin/iptables -A GO-LEVEL2 -m recent --name LEVEL1 --remove
/sbin/iptables -A GO-LEVEL2 -m recent --name LEVEL2 --set
/sbin/iptables -N GO-LEVEL3
/sbin/iptables -A GO-LEVEL3 -m recent --name LEVEL2 --remove
/sbin/iptables -A GO-LEVEL3 -m recent --name LEVEL3 --set
/sbin/iptables -A INPUT -m recent --update --name LEVEL1
/sbin/iptables -A INPUT -p tcp --dport 101 -m recent --set --name LEVEL1
/sbin/iptables -A INPUT -p tcp --dport 201 -m recent --rcheck --name LEVEL1 -j GO-LEVEL2
/sbin/iptables -A INPUT -p tcp --dport 301 -m recent --rcheck --name LEVEL2 -j GO-LEVEL3
/sbin/iptables -A INPUT -p tcp --dport 22 -m recent --rcheck --seconds 10 --name LEVEL3 -j ACCEPT
Connect to port 101, 201, 301 with telnet with a strung together command (telnet <ip> 101; telnet <ip> 201; telnet <ip> 301; ssh <ip>), and it'll open ssh for 10 seconds. You can play around with this, switching tcp connects to ICMP, etc. You might want to implement the LOG target after each LEVEL as well.
If you have any problems, let me know. Cheers.
Once I noticed the attempts were happening, to block any traffic from
them to me, I added the ip address to /etc/hosts.deny, or:
`echo "ALL:ip.add.re.ss" >> /etc/hosts.deny`
Trying to blacklist every IP who attempts automated ssh brute force logins is an exercise in futility.
Just whitelist all IPs you and trusted others will be connecting from.
If you habitually connect from unknown remote IPs, you can always go the fun route and hack up a primitive iptables based port knocking implementation. Like so:
/sbin/iptables -N GO-LEVEL2
/sbin/iptables -A GO-LEVEL2 -m recent --name LEVEL1 --remove
/sbin/iptables -A GO-LEVEL2 -m recent --name LEVEL2 --set
/sbin/iptables -N GO-LEVEL3
/sbin/iptables -A GO-LEVEL3 -m recent --name LEVEL2 --remove
/sbin/iptables -A GO-LEVEL3 -m recent --name LEVEL3 --set
/sbin/iptables -A INPUT -m recent --update --name LEVEL1
/sbin/iptables -A INPUT -p tcp --dport 101 -m recent --set --name LEVEL1
/sbin/iptables -A INPUT -p tcp --dport 201 -m recent --rcheck --name LEVEL1 -j GO-LEVEL2
/sbin/iptables -A INPUT -p tcp --dport 301 -m recent --rcheck --name LEVEL2 -j GO-LEVEL3
/sbin/iptables -A INPUT -p tcp --dport 22 -m recent --rcheck --seconds 10 --name LEVEL3 -j ACCEPT
If you have any problems, let me know. Cheers.
_______________________________________________ RLUG mailing list [email protected] http://lists.rlug.org/mailman/listinfo/rlug
