On Fri, Oct 10, 2008 at 03:41:57PM +1100, Michael Chesterton wrote: > > On 10/10/2008, at 10:58 AM, Daniel Pittman wrote: >>> >> Personally, I use fail2ban[1] which uses the cruder, but still >> effective, technique of reading your logs and blocking people who try >> to >> guess passwords via iptables. >> > > I use with great success an iptables rule to limit new ssh connections > to > 2 or 3 a minute, brute forcers will get a few attempts, then timeout and > move > on.
thats what I have found as well. for example the rules I am using now are iptables -A INPUT -i <internet interface> -p tcp --dport 22 -j SSH iptables -t filter -A SSH -m recent --set --name SSH iptables -t filter -A SSH -m recent --name SSH ! --rcheck --seconds 300 --hitcount 4 -j RETURN # Well, the NEW connection has been seen so let's update the SSH # recent list. iptables -t filter -A SSH -m recent --name SSH --update # I like to log on a line by it's self so I don't have to remember # to do it on my last line prior to the end of my script. iptables -t filter -A SSH --jump ULOG $ULOG_OPTIONS --ulog-prefix "sydrt01 (SSH)" iptables -t filter -A SSH -j DROP > > -- > > http://chesterton.id.au/blog/ > http://barrang.com.au/ > > > -- > SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ > Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html > -- "The truth of that matter is, if you listen carefully, Saddam would still be in power if he were the president of the United States, and the world would be a lot better off." - George W. Bush 10/08/2004 St. Louis, MO Second presidential debate
signature.asc
Description: Digital signature
-- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html