[NBLUG/talk] Doing it without the daemon... (was Re: SSHD on a different port
gandalf at sonic.net
gandalf at sonic.net
Fri Sep 12 14:41:03 PDT 2008
I ended doing something like that. I even have one on our mail connection. If it gets X number of new connections within Y time in blocks the connection for Z minutes. Here's some code:
# Log SSH ATTACK
-A INPUT -p tcp -m tcp -m state -m recent --dport 122 --state NEW -j LOG --update --seconds 300 --hitcount 4 --rttl --name SSH --log-prefix "SSH_brute_force "
# DROP SSH ATTACK
-A INPUT -p tcp -m tcp -m state -m recent --dport 122 --state NEW -j DROP --update --seconds 300 --hitcount 4 --rttl --name SSH
# ACCEPT SSH CONNECTIONS
-A INPUT -p tcp -m tcp --dport 122 -j ACCEPT
# Let Local Addresses Through
-A INPUT -p tcp -m tcp -s 209.204.186.172/30 -d 64.142.127.130 --dport 110 -j ACCEPT
# Let DSL through
-A INPUT -p tcp -m tcp -s 64.142.38.232/30 -d 64.142.127.130 --dport 110 -j ACCEPT
# Record POP3
-A INPUT -p tcp -m tcp -m state -m recent --dport 110 --state NEW --set --name POP
# Log POP3 ATTACK
-A INPUT -p tcp -m tcp -m state -m recent --dport 110 --state NEW -j LOG --update --seconds 60 --hitcount 4 --rttl --name POP --log-prefix "POP_brute_force "
# DROP POP3 ATTACK
-A INPUT -p tcp -m tcp -m state -m recent --dport 110 --state NEW -j DROP --update --seconds 60 --hitcount 4 --rttl --name POP
# ACCEPT POP3 CONNECTIONS
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
COMMIT
Note that ssh is on a non standard port.
(imagine a cute or dirty tagline here)
On Fri 12/09/08 2:32 PM , Scott Doty scott at corp.sonic.net sent:
>
> > http://denyhosts.sourceforge.net/ and
> http://opensource.sfsu.edu/node/122>
> > cheers,
> > Sameer
> >
>
> I ran across this one on the net today:
>
> iptables -A INPUT -i eth0 -p tcp --dport 2280 -m state --state NEW -m
> recent --update --seconds 200 --hitcount 2 --rttl --name SSH -j DROP
> ("if two new connections on port 2280 come from the same host in 200
> seconds, drop traffic to that host")
>
> Season to taste -- show your mom! :)
>
> -Scott
> p.s. or Dilbert's mom, if you prefer...
>
>
>
> _______________________________________________
> talk mailing list
> talk at nblug.org
> http://nblug.org/cgi-bin/mailman/listinfo/talk
>
>
>
More information about the talk
mailing list