[NBLUG/talk] Multiple IP address / brute force attack
Walter Hansen
gandalf at sonic.net
Wed Apr 30 00:07:34 PDT 2008
Ken McGlothlen wrote:
> Sorry to hear it. These sorts of attacks are getting more and more frequent,
> and without dynamically adaptive firewalls, they're hard to manage.
>
> | What this means to me is that if you have a range of IPs on your server and
> | actually configure them to work, it's a little like hanging out a big net
> | with bells on it.
>
> Pretty much.
>
> | Comments, laughter, ideas?
>
> No laughter from this corner. Keeping up with this sort of thing is difficult.
>
> I guess the main thing is to keep track of what networks spell trouble, and
> keep up with your firewall. Keep up to date with the patches. Improve your
> monitoring tools. And good luck.
Thanks. If it doesn't kill your server it only makes you stronger. Today
I found that one program I wrote did not get backed up. Tomorrow I get
to write it again. I hope I remember how it worked and all of what it
was supposed to do. Think I should re-work the backup setup also.
When they broke in I shut down the server. I think they had access to it
for less than a minute but it was restarting every ten minutes (offline)
so it was definitely violated.
Here's the new recipe for dropping bad connections with ssh on 122 no
less. I tried lots of recipes before one worked right:
# Record SSH
-A INPUT -p tcp -m tcp -m state -m recent --dport 122 --state NEW --set
--name SSH
# Log SSH ATTACK
-A INPUT -p tcp -m tcp -m state -m recent --dport 122 --state NEW -j LOG
--update --seconds 300 --hitcount 4 --rttl --name SSH --log-prefix
"SSH_brute_force "
# DROP SSH ATTACK
-A INPUT -p tcp -m tcp -m state -m recent --dport 122 --state NEW -j
DROP --update --seconds 300 --hitcount 4 --rttl --name SSH
More information about the talk
mailing list