[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Questions concerning Security Log



On Fri, 2005-04-08 at 10:36 +0300, Dotan Cohen wrote:

> I see that the attacker is comming from multiple IP's. Although I
> currently do not ssh into this comupter, I would like to leave that
> option open. Acually, I would like to set that up as soon as possible.
> What should I block if I am being attacked by several IP's, but I do
> not want to block ssh altogether?
> 

You can also configure IPTABLES to look for failed attempts to log on
and block the IP temporarily (say for 5 minutes) after a number of
failed logon attempts (say 5 within 60 seconds). That's what we do and
it reduces the log noise and limits the attacks. Here's what I use in
IPTABLES (I'm sure members of this list could improve on this - also
code may wrap):

#!/bin/sh
#  Modprobe the extra modules we need
modprobe ipt_recent
modprobe ip_conntrack

#  Remove any old rules
iptables -F
iptables -X
iptables -Z

#  Some variables - REPLACE WITH YOUR IP
IFACE="eth0"
IPADDR="192.168.1.1"

#  Kill ssh hackers - watch for more than 5 connection attempts in under
#  60 seconds and reject for 5 minutes
iptables -N SSH-EVIL
iptables -A SSH-EVIL -m recent --name badSSH --set -j LOG --log-level
DEBUG --log-prefix "evil SSH user: "
iptables -A SSH-EVIL -j REJECT

iptables -N SSH
iptables -A SSH -p tcp ! --syn -m state --state ESTABLISHED,RELATED -j
ACCEPT
iptables -A SSH -p tcp --syn -m recent --name badSSH --rcheck --seconds
300 -j REJECT
iptables -A SSH -p tcp --syn -m recent --name sshconn --rcheck --seconds
60 --hitcount 5 -j SSH-EVIL
iptables -A SSH -p tcp --syn -m recent --name sshconn --set
iptables -A SSH -p tcp --syn -j ACCEPT

#  Allow unlimited traffic on the loopback interface
iptables -A INPUT  -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

#  Send ssh down our user-defined chain, allow ftp ...
iptables -A INPUT -i $IFACE -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -i $IFACE -p tcp --dport 22 -j SSH

... rest of IPTABLES rules


-- 
Brian Gaynor
FC3/Linux on DELL Inspiron 5160 3.0Ghz 
canis 09:23:07 up 52 min, 2 
users, load average: 0.15, 0.15, 



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]