Questions concerning Security Log

Brian Gaynor briang at
Fri Apr 8 16:28:59 UTC 2005

On Fri, 2005-04-08 at 10:36 +0300, Dotan Cohen wrote:

> I see that the attacker is comming from multiple IP's. Although I
> currently do not ssh into this comupter, I would like to leave that
> option open. Acually, I would like to set that up as soon as possible.
> What should I block if I am being attacked by several IP's, but I do
> not want to block ssh altogether?

You can also configure IPTABLES to look for failed attempts to log on
and block the IP temporarily (say for 5 minutes) after a number of
failed logon attempts (say 5 within 60 seconds). That's what we do and
it reduces the log noise and limits the attacks. Here's what I use in
IPTABLES (I'm sure members of this list could improve on this - also
code may wrap):

#  Modprobe the extra modules we need
modprobe ipt_recent
modprobe ip_conntrack

#  Remove any old rules
iptables -F
iptables -X
iptables -Z

#  Some variables - REPLACE WITH YOUR IP

#  Kill ssh hackers - watch for more than 5 connection attempts in under
#  60 seconds and reject for 5 minutes
iptables -N SSH-EVIL
iptables -A SSH-EVIL -m recent --name badSSH --set -j LOG --log-level
DEBUG --log-prefix "evil SSH user: "
iptables -A SSH-EVIL -j REJECT

iptables -N SSH
iptables -A SSH -p tcp ! --syn -m state --state ESTABLISHED,RELATED -j
iptables -A SSH -p tcp --syn -m recent --name badSSH --rcheck --seconds
300 -j REJECT
iptables -A SSH -p tcp --syn -m recent --name sshconn --rcheck --seconds
60 --hitcount 5 -j SSH-EVIL
iptables -A SSH -p tcp --syn -m recent --name sshconn --set
iptables -A SSH -p tcp --syn -j ACCEPT

#  Allow unlimited traffic on the loopback interface
iptables -A INPUT  -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

#  Send ssh down our user-defined chain, allow ftp ...
iptables -A INPUT -i $IFACE -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -i $IFACE -p tcp --dport 22 -j SSH

... rest of IPTABLES rules

Brian Gaynor
FC3/Linux on DELL Inspiron 5160 3.0Ghz 
canis 09:23:07 up 52 min, 2 
users, load average: 0.15, 0.15, 

More information about the fedora-list mailing list