Re: Dictionary sshd attacks

From: Jon (jon_at_watcher.net.nz)
Date: 08/18/05

  • Next message: Vilmos Soti: "Re: how to restrict user from running some downloaded prgm?" 
    Date: Fri, 19 Aug 2005 07:26:38 +1200

    cooper2k4 wrote:

    > Brian Hall wrote:
    >> On 2005-07-17, Michael Heiming wrote:
    >>
    >>>In comp.os.linux.security Wayne <wayne@nospam.4me.invalid>:
    >>>
    >>>>Is it possible to have sshd or some other daemon recognize
    >>>>a dictionary attack in progress, and to "shun" that IP for
    >>
    >> There was a recent posting about this on slashdot, and several people
    >> posted iptables methods of dealing with this, using the "recent" rule.
    >>
    >> http://it.slashdot.org/article.pl?sid=05/07/16/1615233
    >> "Rundown on SSH Brute Force Attacks"
    >>
    >> This is what was posted (there was a more complicated one that allowed
    >> for ssh IP whitelisting):
    >>
    >> -A PREROUTING -m tcp -p tcp -d $EXTERNAL --dport 22 -m recent --rcheck
    >> --hitcount 3 --seconds 600 -j LOG --log-prefix "SSH attack: "
    >> -A PREROUTING -m tcp -p tcp -d $EXTERNAL --dport 22 -m recent --rcheck
    >> --hitcount 3 --seconds 600 -j DROP
    >> -A PREROUTING -m tcp -p tcp -d $EXTERNAL --dport 22 -m recent --set -j DNAT
    >> --to-destination $INTERNAL:22
    >> -A OUTPUT -m tcp -p tcp -d $EXTERNAL --dport 22 -j DNAT --to-destination
    >> $INTERNAL:22
    >>
    >
    > I wonder why I can't use the limit module? The following two lines block SSH
    > connections from the beginning. Why does it not count to 5?
    >
    > $IPTABLES -i eth0 -A INPUT -p tcp --dport 22 -m state --state NEW -m limit
    > --limit 5/min -j ACCEPT
    > $IPTABLES -i eth0 -A INPUT -p tcp --dport 22 -j DROP
    >
    > Thanks
    > Thorsten

    I could be wrong but I think it is because you're not allowing any RELATED or
    ESTABLISHED connections through. Try adding this line in between the two rules
    above.

    $IPTABLES -i eth0 -A INPUT -p tcp --dport 22 -m state --state
    RELATED,ESTABLISHED -j ACCEPT 

    -- 
Jon
jon@watcher.net.nz
  • Next message: Vilmos Soti: "Re: how to restrict user from running some downloaded prgm?"

    Relevant Pages

    • Re: PREVIOUS GOOD VPN CONNECTIONS BROKEN
      ... Posting on MS newsgroup will benefit all readers and you may get more help. ... Networking, Internet, Routing, VPN, Anti-Virus, Tips & Troubleshooting on ... > Previous working VPN connections do not allow connections after an upgrade ... > it can't connect because of Windows authentication issues or lanman ...
      (microsoft.public.windowsxp.network_web)
    • Re: To configure RRAS, please disable IC and try again.
      ... reponded to your posting thus far then I'll try to do my best to assist you. ... > customer case that was experiencing the same behavior on Windows Server ... Go into Network Connections and delete "Incoming Connections". ... Configure RRAS, then configure Routing and Remote Access System to ...
      (microsoft.public.win2000.advanced_server)
    • Re: No Network Connection
      ... ipconfig /all look like? ... Posting on MS newsgroup will benefit all readers and you may get more help. ... The problem is when I open Network ... >Connections it is empty. ...
      (microsoft.public.windowsxp.network_web)
    • Re: ADO.Net and Garbage Collection
      ... I make more than a fair share of mistakes when posting to the newsgroups, ... >> to clean up for you, exactly what you want to avoid. ... clean up pooled connections for you. ...
      (microsoft.public.dotnet.framework.adonet)
    • RE: auto dial up
      ... Switch to the Connections tab. ... Click the "Create a new account" link. ... Microsoft Online Partner Support ... This posting is provided "AS IS" with no warranties, ...
      (microsoft.public.windowsxp.general)