[NTLUG:Discuss] SSH Dictionary Attacks

[Neil Aggarwal]

Thomas:

Thank you for this post!  I am going to add this to my
firewall rules.

Do you report the attacks to the ISP that manages the IP
that attacked you?

Every time we get an attack on a sever, we report it to the
ISP responsible, but so far have not seen any effect of doing 
so.

Thanks,
	Neil

--
Neil Aggarwal, JAMM Consulting, (214) 986-3533, www.JAMMConsulting.com
FREE! Valuable info on how your business can reduce operating costs by
17% or more in 6 months or less! http://newsletter.JAMMConsulting.com 

-----Original Message-----
From: discuss-bounces at ntlug.org [mailto:discuss-bounces at ntlug.org] On Behalf
Of Thomas Cameron
Sent: Saturday, December 31, 2005 2:15 PM
To: discuss at ntlug.org
Subject: [NTLUG:Discuss] SSH Dictionary Attacks

OK, this is just getting silly.  I'm up to almost 10,000 dictionary
attacks against my servers per day.  The logwatch e-mails are freaking
huge.  I have been pretty much ignoring this stuff because I know that
remote root logins are not possible and I know for sure we are using
very strong passwords, but I am tired of the logfile silliness.

I know there are probably a million better ways to do this, but I just
ran the following two commands on all my Internet facing machines:

iptables -I INPUT -p tcp --dport 22 -m state --state NEW \ 
 -m recent --update --seconds 60 --hitcount 4 -j DROP

iptables -I INPUT -p tcp --dport 22 -m state --state NEW \ 
 -m recent --set

I got them from http://www.debian-administration.org/articles/187 and
they seem to work quite nicely.

I reversed the order from the article because (if I understand it
correctly) the second one needs to be the first rule and the -I inserts
the rules at the top of the chain.  So the end result is that the --set
rule is first, which adds the connecting host to the "recent" set.  The
second rule is the one that DROPs the connection.

Thomas


_______________________________________________
https://ntlug.org/mailman/listinfo/discuss