[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Passing password in ssh



John Summerfield wrote:
Aldo Foot wrote:


I have a couple of questions:

1. If you use the connection/hour limit scheme does it mean you don't
    use tcpwrappers and you only rely on user/password for authorization?

tcpwrappers doesn't do anything I need that I can't also do with netfilter.

2. Is this what you use to configure five ssh connections per hour?
    #tcplimit 22 5 hour on
?? I don't ken that.
from iptables-save:

-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m limit --limit 5/hour -j LOG --log-
prefix "SSH connexion "
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m limit --limit 5/hour -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j LOG --log-prefix "SSH connexion attack dropped "
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j DROP


Here's a logwatch summary:
Dropped 293 packets on interface eth0
  From 89.149.217.67 - 5 packets to tcp(22)
  From 116.38.112.245 - 4 packets to tcp(22)
  From 124.128.250.178 - 26 packets to tcp(22)
  From 128.135.130.42 - 1 packet to tcp(22)
  From 202.106.62.148 - 42 packets to tcp(22)
  From 203.94.8.149 - 28 packets to tcp(22)
  From 203.153.36.4 - 25 packets to tcp(22)
  From 203.174.48.70 - 28 packets to tcp(22)
  From 210.212.249.165 - 1 packet to tcp(22)
  From 219.239.218.162 - 27 packets to tcp(22)
  From 220.177.248.174 - 28 packets to tcp(22)
  From 221.13.10.139 - 78 packets to tcp(22)

Logged 27 packets on interface eth0
  From 89.149.217.67 - 2 packets to tcp(22)
  From 116.38.112.245 - 2 packets to tcp(22)
  From 124.128.250.178 - 2 packets to tcp(22)
  From 128.135.130.42 - 1 packet to tcp(22)
  From 202.106.62.148 - 3 packets to tcp(22)
  From 203.94.8.149 - 2 packets to tcp(22)
  From 203.153.36.4 - 2 packets to tcp(22)
  From 203.174.48.70 - 2 packets to tcp(22)
  From 219.239.218.162 - 2 packets to tcp(22)
  From 220.177.248.174 - 2 packets to tcp(22)
  From 221.13.10.139 - 7 packets to tcp(22)

I am more liberal with connexions from locations I may visit; I don't rate-limit or log.

It would take some time or improbable luck for someone to crack a password, even a weak one, at the rate of attempts I see.

Note too that this is my second access control; I run shorewall on the Internet gateway, and that blocks great gobs of people who've offended me. Mostly, when folk get past my antispam I do a whois search and block _at_ least a /24 network, sometimes a /13. Those, I block smtp, imap (we don't run pop) and ssh.




OSSEC can do that same thing for you automatically based on IP address of the attacker as well.


--
Libenter homines id quod volunt credunt -- Caius Julius Caesar


Mark Haney
Sr. Systems Administrator
ERC Broadband
(828) 350-2415

Call (866) ERC-7110 for after hours support


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]