Re: iptables and ssh

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2006-06-13 at 13:31 +0200, Rainer Traut wrote:
> Hi,
> 
> jdow schrieb:
> 
> >> sth like this?
> >> this is from my iptables script, you have to adjust the variables.
> >>
> >> $ipt -A INPUT -m state --state NEW -p tcp --dport 22 -m recent --name 
> >> SSH --update --seconds 60 --hitcount 4 -j LOG_DROP
> >>
> >> $ipt -A INPUT -m state --state NEW -p tcp --dport 22 -m recent --name 
> >> SSH --set
> >>
> >> Rainer
> > 
> > I do it a little more thoroughly - I log the attempts after timeouts.
> > 
> > # Then setup the reject trap.
> > $IPTABLES -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
> > $IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
> >  --rcheck --seconds 120 --hitcount 3 -j LOG --log-prefix 'SSH REJECT: '
> > $IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
> >  --rcheck --seconds 120 --hitcount 3 -j REJECT --reject-with tcp-reset
> > 
> 
> hmm, I'm logging them, too.
> But you're rejecting them and that is more convenient for the attacker, 
> isn't it?
> This way he doesn't have half open tcp connections which sooner or later 
> hurt him.
> 
I use the DROP, but I cannot see where your target LOG_DROP is in the
man page so I cannot tell if this is a valid target.  The man page says
to use 2 lines, one to do the logging and the second to DROP/REJECT the
packet.
I prefer DROP to REJECT because I do not want to send _anything_ back to
the attacker.

Also, the sequence of yours seems wrong. When a packet is dropped or
rejected the chain terminates so the next line would never get
processed.


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux