From: "jdow" <jdow@xxxxxxxxxxxxx>
I craft my own firewall here using iptables.
I have a favorite trick I learned from someone else a few years ago that I
use to handle ssh security. Since ssh breaks every once and awhile and I
like to leave it open it gets special security efforts.
The trick is quite simple within iptables. If I get one connection failure
I have to wait several seconds before making a retry. ("OK, Joanne, don't
hyper ventillate. Just count to 10 and try again." {^_-})
The common attack is a dictionary attack with several attempts a second.
So of course, they get one shot to crack a password, usually for <snicker>
root, which is dumb to begin with. After that first attempt they are
blocked for the rest of their run.
If they are canny enough to figure out "wait N seconds and then try again"
they can dictionary attack me no more than about 43000 attempts per day if
they cut back to one every couple seconds. If I do not have a dictionary
word (or even a word) as a password, it is not 8 characters, and so forth
how long would it take to guess "Fis8ottlemew" or something equally silly?
The universe would grow cold, first.
So good attack developers (bless them in a left handed sort of way) are
smart enough not to attack for more than a minute or so, a few hundred
pakets floating in the attack, before they quit. The bad ones run up to
maybe 3000 or 4000 attempts to stop.
Now, I have to wonder about the quality of education in Albania after
last night. An Albanian cracker, or at least an idiot originating an
attack from albtelecom.al (217.24.240.77) wasted three full hours and
36807 connection attempts to get ONE, exactly ONE, shot at cracking
my system, the first attempt. All others were rejected and logged. I
just gotta shake my head at the pathetic twit who created the software
that made that attempt. At least my machine kept a whole lot of other
machines from being attacked and I got a huge laugh about it. (And
albtelecom.al finds its little block as one of my permanent blocks in
the firewall, now. This is not the first attack from that /20 block!)
I love IPTables.
{^_-} Joanne
People asked - here is the answer:
# Then setup the reject trap
$IPTABLES -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
--rcheck --seconds 180 --hitcount 2 -j LOG --log-prefix 'SSH REJECT: '
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
--rcheck --seconds 180 --hitcount 2 -j REJECT --reject-with tcp-reset
Adapt it to your configuration, of course.
{^_^} (I probably should have included that in the first email for
politeness. Please 'scuse me.)