Re: Dictionary sshd attacks
From: Thorsten Küfer (thorsten.kuefer_at_uni-muenster.de)
Date: 08/19/05
- Next message: MR: "filtering access to internet via programs - HOW?"
- Previous message: Vilmos Soti: "Re: how to restrict user from running some downloaded prgm?"
- In reply to: Jon: "Re: Dictionary sshd attacks"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 19 Aug 2005 08:17:09 +0200
Jon wrote:
> cooper2k4 wrote:
>>Brian Hall wrote:
>>
>>>On 2005-07-17, Michael Heiming wrote:
>>>
>>>
>>>>In comp.os.linux.security Wayne <wayne@nospam.4me.invalid>:
>>>>
>>>>
>>>>>Is it possible to have sshd or some other daemon recognize
>>>>>a dictionary attack in progress, and to "shun" that IP for
>>>
>>>There was a recent posting about this on slashdot, and several people
>>>posted iptables methods of dealing with this, using the "recent" rule.
>>>
>>>http://it.slashdot.org/article.pl?sid=05/07/16/1615233
>>>"Rundown on SSH Brute Force Attacks"
>>>
>>>This is what was posted (there was a more complicated one that allowed
>>>for ssh IP whitelisting):
>>>
>>>-A PREROUTING -m tcp -p tcp -d $EXTERNAL --dport 22 -m recent --rcheck
>>>--hitcount 3 --seconds 600 -j LOG --log-prefix "SSH attack: "
>>>-A PREROUTING -m tcp -p tcp -d $EXTERNAL --dport 22 -m recent --rcheck
>>>--hitcount 3 --seconds 600 -j DROP
>>>-A PREROUTING -m tcp -p tcp -d $EXTERNAL --dport 22 -m recent --set -j DNAT
>>>--to-destination $INTERNAL:22
>>>-A OUTPUT -m tcp -p tcp -d $EXTERNAL --dport 22 -j DNAT --to-destination
>>>$INTERNAL:22
>>>
>>
>>I wonder why I can't use the limit module? The following two lines block SSH
>>connections from the beginning. Why does it not count to 5?
>>
>>$IPTABLES -i eth0 -A INPUT -p tcp --dport 22 -m state --state NEW -m limit
>>--limit 5/min -j ACCEPT
>>$IPTABLES -i eth0 -A INPUT -p tcp --dport 22 -j DROP
>>
>
> I could be wrong but I think it is because you're not allowing any RELATED or
> ESTABLISHED connections through. Try adding this line in between the two rules
> above.
>
> $IPTABLES -i eth0 -A INPUT -p tcp --dport 22 -m state --state
> RELATED,ESTABLISHED -j ACCEPT
I have just tested it and you are right. With these three rules it is working.
Incoming SSH connections are limited to five, established connections are
unaffected and otherwise the packets are dropped.
Regards
Thorsten
- Next message: MR: "filtering access to internet via programs - HOW?"
- Previous message: Vilmos Soti: "Re: how to restrict user from running some downloaded prgm?"
- In reply to: Jon: "Re: Dictionary sshd attacks"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
