On Tue, 8 Nov 2005 11:52 am, Dan Abernathy wrote:
I notice several automated break-in attempts appearing in /var/log/messages regarding sshd. A small sample:
Just to follow up on my last post, to implement rate limiting on SSH attacks I pasted Andrew Pollock's rules into /etc/sysconfig/Susefirewall2-custom Edit /etc/sysconfig/Susefirewall2 and uncomment FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom" /etc/init.d/Susefirewall2_setup reload See how it goes! Here is the /etc/sysconfig/Susefirewall2-custom file. Any line that begins with "--" has been wrapped and needs to be appended to the line before. # # /etc/sysconfig/Susefirewall2-custom # ###################################################### # Rate limit brute force SSH attacks, rules by Andrew Pollock # # # # http://blog.andrew.net.au/2005/02/17#ipt_recent_and_ssh_attacks # #-----------------------------------------------------------------------# # First whitelist a few hosts iptables -N SSH_WHITELIST iptables -A SSH_WHITELIST -s trusted.host -m recent --remove --name SSH -j ACCEPT iptables -A SSH_WHITELIST -s also.reliable -m recent --remove --name SSH -j ACCEPT iptables -A SSH_WHITELIST -s alianet.alia.org.au -m recent --remove --name SSH -j ACCEPT iptables -A SSH_WHITELIST -s flat.alia.org.au -m recent --remove --name SSH -j ACCEPT # Then implement the "recent" based filter iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_WHITELIST iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j ULOG --ulog-prefix SSH_brute_force iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP