Re: Dictionary sshd attacks

From: cooper2k4 (cooper2k4_at_arcor.de)
Date: 08/18/05


Date: Thu, 18 Aug 2005 13:23:39 +0200

Brian Hall wrote:
> On 2005-07-17, Michael Heiming wrote:
>
>>In comp.os.linux.security Wayne <wayne@nospam.4me.invalid>:
>>
>>>Is it possible to have sshd or some other daemon recognize
>>>a dictionary attack in progress, and to "shun" that IP for
>
> There was a recent posting about this on slashdot, and several people
> posted iptables methods of dealing with this, using the "recent" rule.
>
> http://it.slashdot.org/article.pl?sid=05/07/16/1615233
> "Rundown on SSH Brute Force Attacks"
>
> This is what was posted (there was a more complicated one that allowed
> for ssh IP whitelisting):
>
> -A PREROUTING -m tcp -p tcp -d $EXTERNAL --dport 22 -m recent --rcheck
> --hitcount 3 --seconds 600 -j LOG --log-prefix "SSH attack: "
> -A PREROUTING -m tcp -p tcp -d $EXTERNAL --dport 22 -m recent --rcheck
> --hitcount 3 --seconds 600 -j DROP
> -A PREROUTING -m tcp -p tcp -d $EXTERNAL --dport 22 -m recent --set -j DNAT
> --to-destination $INTERNAL:22
> -A OUTPUT -m tcp -p tcp -d $EXTERNAL --dport 22 -j DNAT --to-destination
> $INTERNAL:22
>

I wonder why I can't use the limit module? The following two lines block SSH
connections from the beginning. Why does it not count to 5?

$IPTABLES -i eth0 -A INPUT -p tcp --dport 22 -m state --state NEW -m limit
--limit 5/min -j ACCEPT
$IPTABLES -i eth0 -A INPUT -p tcp --dport 22 -j DROP

Thanks
Thorsten