Bruce Smith wrote:
You can use the iptables "recent" module. Simply filter on new SYN packets to the SSH port and add the bad guy whenever he opens more than X connections in Y seconds to SSH. Stops em dead. You mustn't do it yourself of course.
http://www.netfilter.org/documentation/HOWTO//netfilter-extensions-HOWTO-3.h...
You'll need to roll your own firewall rules if you don't already. (Unless it is now possible to inject such things in SuSEFirewall2, I don't know, haven't looked at SuSEFirewall in the last 3-4 years :-) )
Thanks for all the replies! I've found setting "MaxAuthTries 2" with a combination of the iptables rules works great! I can hardly wait to get attacked again to watch it work. ;-)
Just login and press immediately CTRL-D a bunch of times. Works like a charm :-)
The only problem is iptables can't tell the difference between a sucessful login and a failed login, but that's not usually a problem as long as I don't open a bunch of SSH connections all at once.
That is true. It might become a problem if you do lots of SCP though. However that should be further distinguishable by the TOS field. I personally don't like the log-watch approach. It can bettter distinguish the brute-forcers from legitimate SSH users but it is one more daemon to run, works on the logfile (which means special handling for log rotation) and must run as root in order to manipulate the firewall rules. Whereas the recent module is in the kernel for quite some time now and the firewall is there anyway and does not require any intervention from me to start something else. It also does not change my firewall rules without my intervention, though that is a minor point. Btw. you can also make a port-knocking scheme with ipt_recent.
I'll check into swatch when I get time, but for now I'll share the iptables rules I ended up with with this list as my thanks to everyone. This will block any IP for 60 seconds that tries to connect 5 or more time in a one minute time frame (along with logging it). It's easy to test, just login multiple times and ALL the connections will freeze for awhile when you hit the login limit:
iptables -A INPUT -p tcp --syn --dport 22 -i eth0 -m recent --name sshattack --set iptables -A INPUT -m recent --name sshattack --rcheck --seconds 60 --hitcount 5 -j LOG --log-prefix 'SSH attack: ' iptables -A INPUT -m recent --name sshattack --rcheck --seconds 60 --hitcount 5 -j DROP
I use a two-level approach like this: # # special handling for SSH (to dwarf SSH dictionary attacks) # $IPTABLES -N SSH $IPTABLES -N SSH-evil $IPTABLES -A SSH-evil -m recent --name badSSH --set -j LOG --log-level DEBUG --log-prefix "evil SSH user: " $IPTABLES -A SSH-evil -j REJECT $IPTABLES -A SSH -p TCP ! --syn -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A SSH -p TCP --syn -m recent --name badSSH --rcheck --seconds 600 -j REJECT $IPTABLES -A SSH -p TCP --syn -m recent --name sshconn --rcheck --seconds 60 --hitcount 5 -j SSH-evil $IPTABLES -A SSH -p TCP --syn -m recent --name sshconn --set $IPTABLES -A SSH -p TCP --syn -j ACCEPT It first checks for already established connections and let's em pass. Then it checks for the badSSH flag and rejects the bad guy for 10 minutes. Otherwise it is a new SSH connection and checks if we've seen 5 in 60 seconds, if so, jump to SSH-Evil where the badSSH marker gets added. Otherwise just set the connSSH marker which is harmless unless you get 5 in 60 seconds. -- C U - -- ---- ----- -----/\/ René Gallati \/\---- ----- --- -- -