From: "Christian Motta" <chris@xxxxxxxxx>
I wrote this script to thwart the brute force ssh hackers. It isn't the
most efficient but it works. it blocks their ip using iptables. I run it
every min via cron
#!/usr/bin/perl
Thanks for the nice script Chris. I may add that to deepen my defenses.
I have found, however, that a simple three line iptables addition seems
to work like a champ, except for filling up the log.
===8<---
iptables -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
--rcheck --seconds 120 --hitcount 3 -j LOG --log-prefix 'SSH REJECT: '
$iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
--rcheck --seconds 120 --hitcount 3 -j REJECT --reject-with tcp-reset
===8<---
I've been taking to looking at where large numbers of rejected connections
come from and have been adding them to the firewall manually. Your script
can probably be adapted.
(It is amusing how long idiots will keep trying. I had a twit from India
trying nearly 10,000 times today before I finally blocked him. He got two
chances in that entire set to actually try to guess a password. He made
two runs. And right at the start of the two runs he tried and got the
predictable password failure. After that for an hour or more at a stretch
he simply pounded that reject rule never getting into the system at all.
Poor baby. It did prompt me to simply add blanket blocks for much of the
APNIC space that's allocated to Asian countries I never expect to visit.
It makes life easier.)
{^_-}