May I suggest something more effective? Please take a look at FWKNOP
(http://cipherdyne.org/fwknop), that works well with Shorewall.
You keep SSH (TCP 22) blocked but when FWKNOP receives a single UDP packet
digitally signed that contains some identifier, it opens SSH (create a
iptables rule) for that specific address for some seconds (30 by default)
and then removes it after timeout. ESTABLISHED connections are mantained so
even when the rule is removed an existing connection keeps working. It can
do a lot more, but that specific use is what may help you.
Seems like the perfect solution to you, no brute force attack cause no one
can use SSH without authenticating with FWKNOP before. I used it and works
like a charm.
Flavio
Brasil
P.S. to Tom Eastep: I'm marvelled at Shorewall, what a software! Keep the
fantastic work.
n dhert <[email protected]> wrote on 8 Nov 2009, 10:20 AM:
Subject: [Shorewall-users] counter SSH brute force attacks
I have a line in my shorewall rules file
Limit:info:SSHBFAttack,3,60 net $MACHINE tcp 22
to counter SSH attacks to the machine $MACHINE (max 3 SSH requests per
minute from same machine, then one needs to wait a minute for next SSH
request)
Now I want to make 1 exception to this limitation for one particular
machine on the 'net' zone, say 217.218.219.220
I tried
Limit:info:SSHBFAttack,3,60 net:!217.218.219.220 tcp 22
but the result is that 217.218.219.220 is excluded totally from SSH,
definitely not what I want :-)
What line(s) must be used to achieve that?
-----------------------------------------------------------------------------------------------------------------------
Send big files for free. Simple steps. No registration.
Visit now http://www.nawelny.com
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
