On Fri, 2005-04-08 at 10:36 +0300, Dotan Cohen wrote: > I see that the attacker is comming from multiple IP's. Although I > currently do not ssh into this comupter, I would like to leave that > option open. Acually, I would like to set that up as soon as possible. > What should I block if I am being attacked by several IP's, but I do > not want to block ssh altogether? > You can also configure IPTABLES to look for failed attempts to log on and block the IP temporarily (say for 5 minutes) after a number of failed logon attempts (say 5 within 60 seconds). That's what we do and it reduces the log noise and limits the attacks. Here's what I use in IPTABLES (I'm sure members of this list could improve on this - also code may wrap): #!/bin/sh # Modprobe the extra modules we need modprobe ipt_recent modprobe ip_conntrack # Remove any old rules iptables -F iptables -X iptables -Z # Some variables - REPLACE WITH YOUR IP IFACE="eth0" IPADDR="192.168.1.1" # Kill ssh hackers - watch for more than 5 connection attempts in under # 60 seconds and reject for 5 minutes iptables -N SSH-EVIL iptables -A SSH-EVIL -m recent --name badSSH --set -j LOG --log-level DEBUG --log-prefix "evil SSH user: " iptables -A SSH-EVIL -j REJECT iptables -N SSH iptables -A SSH -p tcp ! --syn -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A SSH -p tcp --syn -m recent --name badSSH --rcheck --seconds 300 -j REJECT iptables -A SSH -p tcp --syn -m recent --name sshconn --rcheck --seconds 60 --hitcount 5 -j SSH-EVIL iptables -A SSH -p tcp --syn -m recent --name sshconn --set iptables -A SSH -p tcp --syn -j ACCEPT # Allow unlimited traffic on the loopback interface iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # Send ssh down our user-defined chain, allow ftp ... iptables -A INPUT -i $IFACE -p tcp --dport 21 -j ACCEPT iptables -A INPUT -i $IFACE -p tcp --dport 22 -j SSH ... rest of IPTABLES rules -- Brian Gaynor FC3/Linux on DELL Inspiron 5160 3.0Ghz canis 09:23:07 up 52 min, 2 users, load average: 0.15, 0.15,
