[Nelug] Blocking brute-force ssh attacks
richm at oldelvet.org.uk
Wed Aug 9 15:24:35 UTC 2006
> -----Original Message-----
> From: nelug-bounces at mailman.lug.org.uk
> [mailto:nelug-bounces at mailman.lug.org.uk] On Behalf Of Martin Ward
> Getting fed up with the various idiots who think that they
> can guess my ssh
> attacks with a brute force dictionary attack, I decided to do
> about them.
> I previously experimented with "port knocking" (see
> which worked, but is a bit tricky to use since many public
> internet access
> points have a very limited set of ports open.
> So instead, I wrote a small daemon which scans the log file and builds
> a list of IP addresses which have cause too many failed login
I've got a simple iptables thing that uses the ipt_recent module. It works
pretty well and stops people who try more than x times without leaving y
seconds between one of the x attempts.
At standard I have x = 10, y = 60
I use this on a number of machines that I look after including those in a
co-lo facility - it works pretty well.
Oh and I whitelist a number of addresses so that they are not subject to the
rules to stop the possibility of getting too locked out.
The core stuff to setup the ipt_recent rules is
$IPTABLES -N badguyrst;
$IPTABLES -A badguyrst -m recent --name badguy --remove -j LOG --log-prefix
"Removed from badguy table ";
$IPTABLES -N badguychk; $IPTABLES -A badguychk -m recent --name badguy !
--rcheck --seconds 60 -j badguyrst;
$IPTABLES -A badguychk -m recent --name badguy --update --hitcount 11 -j
$IPTABLES -A badguychk -m recent --name badguy --update --hitcount 10 -j LOG
--log-prefix "Found a badguy ";
$IPTABLES -A badguychk -m recent --name badguy --update --hitcount 10 -j
$IPTABLES -A badguychk -m recent --name badguy --set -j ACCEPT;
Then add your whitelists
$IPTABLES -A INPUT -p tcp -m multiport --dports 21,22 -m state --state
NEW -s <ip-of-goodguy> -j ACCEPT
Then for each port that you want to block do something like
$IPTABLES -A INPUT -p tcp --destination-port 22 -j badguychk
More information about the Nelug