Mailinglist Archive: opensuse-security (138 mails)

< Previous Next >
Re: SPAM: Re: [suse-security] Openssh + security
  • From: Bjorn Tore Sund <bjornts@xxxxxxxxx>
  • Date: Tue, 13 Dec 2005 10:21:59 +0100 (CET)
  • Message-id: <Pine.LNX.4.61.0512131008380.12377@xxxxxxxxxxxxxx>

On Mon, 12 Dec 2005, Carlos E. R. wrote:

> Hash: SHA1
> The Sunday 2005-12-11 at 15:46 -0800, Scott Leighton wrote:
> > Yes, the script kiddies are a nuisance. I use login_sentry to send
> > them on their way (it adds their IP address to hosts.deny).
> That list could grow very large. Also, if those attacks come from dynamic
> ips, you could have a deny line for an IP that has changed owner, and now
> is an honest person, while the attacker is using a new one you do not have
> listed yet.
> I think I read in passing somewhere about an iptables rule to deny
> temporarily access to a certain IP; the rule is temporary and disappears
> after some time, freeing resources.
> But I don't know what is it.

I assume you're looking for the "recent" module for iptables.
# Blocking ssh attacks
/usr/sbin/iptables -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
/usr/sbin/iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 60 --hitcount 6 -j LOG --log-prefix 'SSH attack: '
/usr/sbin/iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 60 --hitcount 6 -j REJECT

This will block all further syns from an IP address starting on the
sixth port 22 connection within 60 seconds. It takes 60 seconds of
absolute quiet from that same ip address (or a reboot) to make the
block go away. Kills a LOT of brute force ssh attacks. I've also
used this both against web statistics spammers and email DOSers with
good results.

Bjørn Tore Sund Phone: (+47) 555-84894 Stupidity is like a
System administrator Fax: (+47) 555-89672 fractal; universal and
Math. Department Mobile: (+47) 918 68075 infinitely repetitive.
University of Bergen VIP: 81724
Support: Contact: teknisk@xxxxxxxxx Direct: bjornts@xxxxxxxxx

< Previous Next >