On Mon, 2005-12-26 at 17:56 -0800, jdow wrote: > From: "Christian Motta" <chris@xxxxxxxxx> > > >I wrote this script to thwart the brute force ssh hackers. It isn't the > > most efficient but it works. it blocks their ip using iptables. I run it > > every min via cron > > > > > > > > #!/usr/bin/perl > > Thanks for the nice script Chris. I may add that to deepen my defenses. > > I have found, however, that a simple three line iptables addition seems > to work like a champ, except for filling up the log. > A nice dynamic iptables tool to monitor sshd and block attacks is sshdfilter. http://www.csc.liv.ac.uk/~greg/sshdfilter/ I use it on several servers and it works really well to detect and block attacks. With it an attempt to login with an unknown account gets instantly blocked, and with a known account (root or some other user) they only get 6 attempts before it is blocked. Most of the attacks on my systems don't even get 2 attempts before they are blocked. I don't have root enabled for remote access so there is no worry there. To avoid an enormous long iptables rule list the blocked addresses are unblocked after 3 days. > ===8<--- > iptables -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set > iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \ > --rcheck --seconds 120 --hitcount 3 -j LOG --log-prefix 'SSH REJECT: ' > $iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \ > --rcheck --seconds 120 --hitcount 3 -j REJECT --reject-with tcp-reset > ===8<--- > > I've been taking to looking at where large numbers of rejected connections > come from and have been adding them to the firewall manually. Your script > can probably be adapted. > > (It is amusing how long idiots will keep trying. I had a twit from India > trying nearly 10,000 times today before I finally blocked him. He got two > chances in that entire set to actually try to guess a password. He made > two runs. And right at the start of the two runs he tried and got the > predictable password failure. After that for an hour or more at a stretch > he simply pounded that reject rule never getting into the system at all. > Poor baby. It did prompt me to simply add blanket blocks for much of the > APNIC space that's allocated to Asian countries I never expect to visit. > It makes life easier.) > > {^_-} >
