From: "Frank Cox" <theatre@xxxxxxxxxxx>
On Wed, 16 Aug 2006 12:47:31 -0400
David Cary Hart <Fedora@xxxxxxxxxxx> wrote:
I cannot see any way that this could be used to create a ddos.
Getting locked out of your box for 3 hours wouldn't bother you?
As an alternative consider this iptables trick:
===8<---
# Then setup the reject trap.
$IPTABLES -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
--rcheck --seconds 180 --hitcount 2 -j LOG --log-prefix 'SSH REJECT: '
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
--rcheck --seconds 180 --hitcount 2 -j REJECT --reject-with tcp-reset
===8<---
You get one try within 3 minutes. There has to be three minutes without
attempts before it opens again. This is on a source by source basis.
It also thoughtfully logs how many times the bozo tries so you can get
him blackballed by cooperative ISPs. (I don't bother with much from
APNIC. For them I build rules like this and have done with them:
$IPTABLES -A INPUT -p tcp -i $EXTIF -s 220.0.0.0/7 -d $INTNET --dport 22 -j
drop-and-log-it
I expect to visit parts of the US from time to time for business or
conventions. I figure visiting Asia might be nice - but getting a
connection while over there would be a bother. So the block is no big
deal.
I figure if I make a password booboo waiting for 3 minutes is a penalty
I've earned. Of course, when travelling I "could" increase the --hitcount
to three or four.
{^_^} Joanne
