Re: ssh security

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 2005-12-26 at 17:56 -0800, jdow wrote:
> From: "Christian Motta" <chris@xxxxxxxxx>
> 
> >I wrote this script to thwart the brute force ssh hackers.  It isn't the 
> > most efficient but it works. it blocks their ip using iptables. I run it 
> > every min via cron
> > 
> > 
> > 
> > #!/usr/bin/perl
> 
> Thanks for the nice script Chris. I may add that to deepen my defenses.
> 
> I have found, however, that a simple three line iptables addition seems
> to work like a champ, except for filling up the log.
> 
A nice dynamic iptables tool to monitor sshd and block attacks is
sshdfilter.
http://www.csc.liv.ac.uk/~greg/sshdfilter/

I use it on several servers and it works really well to detect and block
attacks.
With it an attempt to login with an unknown account gets instantly
blocked, and with a known account (root or some other user) they only
get 6 attempts before it is blocked.  Most of the attacks on my systems
don't even get 2 attempts before they are blocked.  I don't have root
enabled for remote access so there is no worry there.

To avoid an enormous long iptables rule list the blocked addresses are
unblocked after 3 days.


> ===8<---
> iptables -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
> iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
>   --rcheck --seconds 120 --hitcount 3 -j LOG --log-prefix 'SSH REJECT: '
> $iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
>   --rcheck --seconds 120 --hitcount 3 -j REJECT --reject-with tcp-reset
> ===8<---
> 
> I've been taking to looking at where large numbers of rejected connections
> come from and have been adding them to the firewall manually. Your script
> can probably be adapted.
> 
> (It is amusing how long idiots will keep trying. I had a twit from India
> trying nearly 10,000 times today before I finally blocked him. He got two
> chances in that entire set to actually try to guess a password. He made
> two runs. And right at the start of the two runs he tried and got the
> predictable password failure. After that for an hour or more at a stretch
> he simply pounded that reject rule never getting into the system at all.
> Poor baby. It did prompt me to simply add blanket blocks for much of the
> APNIC space that's allocated to Asian countries I never expect to visit.
> It makes life easier.)
> 
> {^_-}
> 


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux