Re: Dictionary sshd attacks

From: Jon (jon_at_watcher.net.nz)
Date: 08/18/05

  • Next message: Vilmos Soti: "Re: how to restrict user from running some downloaded prgm?"
    Date: Fri, 19 Aug 2005 07:26:38 +1200
    
    

    cooper2k4 wrote:

    > Brian Hall wrote:
    >> On 2005-07-17, Michael Heiming wrote:
    >>
    >>>In comp.os.linux.security Wayne <wayne@nospam.4me.invalid>:
    >>>
    >>>>Is it possible to have sshd or some other daemon recognize
    >>>>a dictionary attack in progress, and to "shun" that IP for
    >>
    >> There was a recent posting about this on slashdot, and several people
    >> posted iptables methods of dealing with this, using the "recent" rule.
    >>
    >> http://it.slashdot.org/article.pl?sid=05/07/16/1615233
    >> "Rundown on SSH Brute Force Attacks"
    >>
    >> This is what was posted (there was a more complicated one that allowed
    >> for ssh IP whitelisting):
    >>
    >> -A PREROUTING -m tcp -p tcp -d $EXTERNAL --dport 22 -m recent --rcheck
    >> --hitcount 3 --seconds 600 -j LOG --log-prefix "SSH attack: "
    >> -A PREROUTING -m tcp -p tcp -d $EXTERNAL --dport 22 -m recent --rcheck
    >> --hitcount 3 --seconds 600 -j DROP
    >> -A PREROUTING -m tcp -p tcp -d $EXTERNAL --dport 22 -m recent --set -j DNAT
    >> --to-destination $INTERNAL:22
    >> -A OUTPUT -m tcp -p tcp -d $EXTERNAL --dport 22 -j DNAT --to-destination
    >> $INTERNAL:22
    >>
    >
    > I wonder why I can't use the limit module? The following two lines block SSH
    > connections from the beginning. Why does it not count to 5?
    >
    > $IPTABLES -i eth0 -A INPUT -p tcp --dport 22 -m state --state NEW -m limit
    > --limit 5/min -j ACCEPT
    > $IPTABLES -i eth0 -A INPUT -p tcp --dport 22 -j DROP
    >
    > Thanks
    > Thorsten

    I could be wrong but I think it is because you're not allowing any RELATED or
    ESTABLISHED connections through. Try adding this line in between the two rules
    above.

    $IPTABLES -i eth0 -A INPUT -p tcp --dport 22 -m state --state
    RELATED,ESTABLISHED -j ACCEPT

    -- 
    Jon
    jon@watcher.net.nz
    

  • Next message: Vilmos Soti: "Re: how to restrict user from running some downloaded prgm?"