[Nelug] Blocking brute-force ssh attacks

Richard Mortimer richm at oldelvet.org.uk
Wed Aug 9 15:24:35 UTC 2006



> -----Original Message-----
> From: nelug-bounces at mailman.lug.org.uk 
> [mailto:nelug-bounces at mailman.lug.org.uk] On Behalf Of Martin Ward
> 
> 
> Getting fed up with the various idiots who think that they 
> can guess my ssh
> attacks with a brute force dictionary attack, I decided to do 
> something
> about them.
> 
> I previously experimented with "port knocking" (see 
> www.portknocking.org)
> which worked, but is a bit tricky to use since many public 
> internet access
> points have a very limited set of ports open.
> 
> So instead, I wrote a small daemon which scans the log file and builds
> a list of IP addresses which have cause too many failed login 
> attempts:
> 

I've got a simple iptables thing that uses the ipt_recent module. It works
pretty well and stops people who try more than x times without leaving y
seconds between one of the x attempts.
At standard I have x = 10, y = 60


I use this on a number of machines that I look after including those in a
co-lo facility - it works pretty well.

Oh and I whitelist a number of addresses so that they are not subject to the
rules to stop the possibility of getting too locked out.

The core stuff to setup the ipt_recent rules is

$IPTABLES -N badguyrst;
$IPTABLES -A badguyrst -m recent --name badguy --remove -j LOG --log-prefix
"Removed from badguy table ";
$IPTABLES -N badguychk; $IPTABLES -A badguychk -m recent --name badguy !
--rcheck --seconds 60 -j badguyrst;
$IPTABLES -A badguychk -m recent --name badguy --update --hitcount 11 -j
DROP;
$IPTABLES -A badguychk -m recent --name badguy --update --hitcount 10 -j LOG
--log-prefix "Found a badguy ";
$IPTABLES -A badguychk -m recent --name badguy --update --hitcount 10 -j
DROP;
$IPTABLES -A badguychk -m recent --name badguy --set -j ACCEPT;

Then add your whitelists

$IPTABLES -A INPUT -p tcp  -m multiport  --dports 21,22  -m state --state
NEW  -s <ip-of-goodguy>  -j ACCEPT


Then for each port that you want to block do something like

$IPTABLES -A INPUT -p tcp --destination-port 22 -j badguychk

 
Richard





More information about the Nelug mailing list