crazy hackers and logwatch
Kevin Fenzi
kevin-redhat-beta at scrye.com
Tue Aug 9 15:39:56 UTC 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
>>>>> "Marco" == Marco Meyerhofer <marco_meyerhofer at freesurf.ch> writes:
Marco> I recently set up some rules. I know they could be abused for
Marco> dos, but for me this is a minor problem. Warning: I am not
Marco> sure if they work correct, or if they make some problems.
Marco> # SSH brute force protection $EXT_IF
Marco> $IPTABLES -N ssh_brute
Marco> $IPTABLES -A INPUT -i $EXT_IF -p tcp --dport 22 -m state --state NEW -j ssh_brute
Marco> $IPTABLES -A ssh_brute -m recent --set
Marco> $IPTABLES -A ssh_brute -m recent --update --seconds 120 ! --hitcount 4 -j RETURN
Marco> $IPTABLES -A ssh_brute -m limit -j LOG --log-prefix "ssh bruteforce "
Marco> $IPTABLES -A ssh_brute -j DROP
A better rule (IMHO), I use:
$IPTABLES -A INPUT -m hashlimit -m tcp -p tcp --dport 22 --hashlimit 1/min --hashlimit-mode srcip --hashlimit-name ssh -m state --state NEW -j ACCEPT
This has the advantage of only blocking the offending IP if they go
over 1/min, but letting all other ip's still have access until they go
over the limit.
kevin
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.8 <http://mailcrypt.sourceforge.net/>
iD8DBQFC+M5P3imCezTjY0ERApEgAJ9lDrUDdOVVYjz7kokJlntU8xj33gCbBvZT
dUgowokLV9sWB6mLIf4+O2M=
=ajK2
-----END PGP SIGNATURE-----
More information about the fedora-test-list
mailing list