Re: Questions concerning Security Log

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Apr 8, 2005 7:28 PM, Brian Gaynor <briang@xxxxxxxxxxx> wrote:
> On Fri, 2005-04-08 at 10:36 +0300, Dotan Cohen wrote:
> 
> > I see that the attacker is comming from multiple IP's. Although I
> > currently do not ssh into this comupter, I would like to leave that
> > option open. Acually, I would like to set that up as soon as possible.
> > What should I block if I am being attacked by several IP's, but I do
> > not want to block ssh altogether?
> >
> 
> You can also configure IPTABLES to look for failed attempts to log on
> and block the IP temporarily (say for 5 minutes) after a number of
> failed logon attempts (say 5 within 60 seconds). That's what we do and
> it reduces the log noise and limits the attacks. Here's what I use in
> IPTABLES (I'm sure members of this list could improve on this - also
> code may wrap):
> 
> #!/bin/sh
> #  Modprobe the extra modules we need
> modprobe ipt_recent
> modprobe ip_conntrack
> 
> #  Remove any old rules
> iptables -F
> iptables -X
> iptables -Z
> 
> #  Some variables - REPLACE WITH YOUR IP
> IFACE="eth0"
> IPADDR="192.168.1.1"
> 
> #  Kill ssh hackers - watch for more than 5 connection attempts in under
> #  60 seconds and reject for 5 minutes
> iptables -N SSH-EVIL
> iptables -A SSH-EVIL -m recent --name badSSH --set -j LOG --log-level
> DEBUG --log-prefix "evil SSH user: "
> iptables -A SSH-EVIL -j REJECT
> 
> iptables -N SSH
> iptables -A SSH -p tcp ! --syn -m state --state ESTABLISHED,RELATED -j
> ACCEPT
> iptables -A SSH -p tcp --syn -m recent --name badSSH --rcheck --seconds
> 300 -j REJECT
> iptables -A SSH -p tcp --syn -m recent --name sshconn --rcheck --seconds
> 60 --hitcount 5 -j SSH-EVIL
> iptables -A SSH -p tcp --syn -m recent --name sshconn --set
> iptables -A SSH -p tcp --syn -j ACCEPT
> 
> #  Allow unlimited traffic on the loopback interface
> iptables -A INPUT  -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT
> 
> #  Send ssh down our user-defined chain, allow ftp ...
> iptables -A INPUT -i $IFACE -p tcp --dport 21 -j ACCEPT
> iptables -A INPUT -i $IFACE -p tcp --dport 22 -j SSH
> 
> ... rest of IPTABLES rules
> 
> --
> Brian Gaynor
> FC3/Linux on DELL Inspiron 5160 3.0Ghz
> canis 09:23:07 up 52 min, 2
> users, load average: 0.15, 0.15,
> 
> 

This is really nice. When I set up ssh again, and iptables, I will
certainly use this. Thank you very much!

Dotan Cohen

http://Song-Lirics.com/
http://Song-Liriks.com/
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux