Re: No route to host

Fri, 30 Dec 2011 18:17:01 -0800 

On 2011/12/30 18:05, MT Julianto wrote:

On 30 December 2011 14:22, jdow <j...@earthlink.net <mailto:j...@earthlink.net>>
wrote:

    On 2011/12/30 00:14, MT Julianto wrote:

        Indeed, I found some traces of intruder trying to get root access via
        ssh, but
        none is succeeded.  Now, I use fail2ban (available at atrpms) to handle
        them.


    I find zero to five tries a day. For some strange reason every try is from a
    different address.


Exactly!  I have a web server which still got thousands sshd attack per month,
although fail2ban is installed with bantime = 1 hour :-(

For the current machine, just before fail2ban is installed yesterday, I found
about 500 tries in half hour from the same address.  sshd attack is drastically
drop after fail2ban is installed.

    I have my own iptables script with lines like these in it:
    $IPTABLES -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
    $IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
      --rcheck --seconds 60 --hitcount 2 -j LOG --log-prefix 'SSH REJECT: ' \
      --log-level info
    $IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
      --rcheck --seconds 60 --hitcount 2 -j REJECT --reject-with tcp-reset

    The -m recent, -seconds 60, and --hitcount 2 phrases are the magic. Much of
    that is so that I get the rejects logged, thanks to my sick curoisity.

Interesting!  However, I don't know much about iptables.

    This allows me to typo the password. All I have to do is wait a couple 
minutes
    between tries

Is it the same as fail2ban with setting: maxretry=1 ?


I don't know. I learned of fail2ban from the BSD mailing list long after I'd
learned that iptables trick. I feel more comfortable with the iptables trick
since it is right there instantly rather than with any log reading delays.
It even prevents two attempts from the same address if the first one was
successful, which is not something I've ever wanted to do. It's one less
piece of software on the system. It means I had to learn iptables a bit.

I learned the trick on one of the Red Hat lists about a decade ago.

{^_^}

Reply via email to