-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Thursday 2005-12-22 at 09:34 +0200, Andre Truter wrote:
I have a problem on one of my servers. A specific host has been attacking my server via ssh for the past 5 hours.
Now it is starting to cost me in bandwidth usage.
How can I set up SuSEFirewall2 to just drop all packets from that specific host?
I copied this from the security list: |Date: Tue, 13 Dec 2005 10:21:59 +0100 (CET) |From: Bjorn Tore Sund |Subject: Re: SPAM: Re: [suse-security] Openssh + security | ... | | | I assume you're looking for the "recent" module for iptables. | # Blocking ssh attacks | /usr/sbin/iptables -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set | /usr/sbin/iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 60 --hitcount 6 -j LOG --log-prefix 'SSH attack: ' | /usr/sbin/iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 60 --hitcount 6 -j REJECT | This will block all further syns from an IP address starting on the | sixth port 22 connection within 60 seconds. It takes 60 seconds of | absolute quiet from that same ip address (or a reboot) to make the | block go away. Kills a LOT of brute force ssh attacks. I've also | used this both against web statistics spammers and email DOSers with | good results. | | Bjørn I guess the place for it would be in /etc/sysconfig/scripts/SuSEFirewall2-custom or thereabouts; somebody said in fw_custom_before_antispoofing, others in fw_custom_before_port_handling. I dunno. Probably the best place to ask for this is the security list, but check the archive first. - -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFDqsMVtTMYHG2NR9URAu+wAJkBPuAKETnQU3yAqg+iOWl1vAPIwgCfSRXR dg1NF6nDfuMrm081k0Vqz2k= =neJI -----END PGP SIGNATURE-----