[NTLUG:Discuss] SSH Dictionary Attacks
Thomas Cameron
thomas.cameron at camerontech.com
Sat Dec 31 14:14:43 CST 2005
OK, this is just getting silly. I'm up to almost 10,000 dictionary
attacks against my servers per day. The logwatch e-mails are freaking
huge. I have been pretty much ignoring this stuff because I know that
remote root logins are not possible and I know for sure we are using
very strong passwords, but I am tired of the logfile silliness.
I know there are probably a million better ways to do this, but I just
ran the following two commands on all my Internet facing machines:
iptables -I INPUT -p tcp --dport 22 -m state --state NEW \
-m recent --update --seconds 60 --hitcount 4 -j DROP
iptables -I INPUT -p tcp --dport 22 -m state --state NEW \
-m recent --set
I got them from http://www.debian-administration.org/articles/187 and
they seem to work quite nicely.
I reversed the order from the article because (if I understand it
correctly) the second one needs to be the first rule and the -I inserts
the rules at the top of the chain. So the end result is that the --set
rule is first, which adds the connecting host to the "recent" set. The
second rule is the one that DROPs the connection.
Thomas
More information about the Discuss
mailing list