Re: SSH IP Blocking

From: Tim Haynes (usenet@stirfried.vegetable.org.uk)
Date: 04/18/02


From: Tim Haynes <usenet@stirfried.vegetable.org.uk>
Date: 18 Apr 2002 15:05:32 +0100


"Skatan" <skatan@t-online.de> writes:

> >You're going to get *FAR* more one-port single-SYN scans, or occasional
> >SYN+FIN scans, and never hear from the IP# again. Unless you *really*
> >know better, I suggest you're going to waste your firewall rules on
> >folks who're never coming back - do let me know if you get anything like
> >>1% repeat offenders, right?
>
> Well, the script i am thinking about is just checking /var/log/messages
> for 3 failed ssh logins and then block these IPs. After a few hours it
> would then remove those IPs from my "ban list" again. So there prolly
> won´t be many iptables rules.

Only a few hours? If someone is so determined as to open a whole connect(2)
and attempt to log in over ssh, they're going to wait a week and come back.

> >It'd be pretty darn' hard, but they don't need to *log in* when they can
> >DoS you.
>
> Talking about DoS. Is there anything i can do against that then?

The drop-by-default firewall is a good start. Then you -m limit it so it
won't DoS your syslog. Then you also tweak all the sysctls for maximum
*througput* - don't keep SYNs hanging around too long, rate-restrict your
ICMP, don't respond to invalid (fingerprinting) crud, ... you name it.

~Tim

-- 
There's a shrine on the Assynt hillside     |piglet@stirfried.vegetable.org.uk
Made of earth and salt and rain             |http://spodzone.org.uk/



Relevant Pages

  • Re: SSH IP Blocking
    ... I suggest you're going to waste your firewall rules on folks who're ... would then remove those IPs from my "ban list" again. ... Talking about DoS. ...
    (comp.os.linux.security)
  • Re: walled garden concept
    ... I have done this using private ips. ... My method simply changes the firewall rules, ... When radius either gets a disconnect or auth attempt on the same port, ... instead we just let radius hand out static ips from a database pool. ...
    (freebsd-isp)
  • Re: sshd question
    ... seen a lot of times such a unsuccessfull tries to log to a system I'm ... from unknown for me IPs I just put some firewall rules. ... on the main firewall and they were blocking all outside ssh/telnet ...
    (comp.os.linux.security)
  • Re: Spam - What is a simple way to hide email address?
    ... > So what is the "set of firewall rules to block all traffic from ... > korea & china." ... I look up the details in blackholes.us to identify the whole block of IPs ...
    (comp.security.firewalls)
  • Re: DOS attack logged by Netgear router DG836G
    ... telnet to the router and at the shell prompt type: ... iptables -nvL DOS ... to see the firewall rules which determine what a DOS is. ...
    (uk.telecom.broadband)