Re: Blocking SSH ... BUT...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



At 11:53 AM -0600 9/18/07, Ashley M. Kirchner wrote:
>    Hey all,
>
>    I have the following lines in my iptables config file to curb ssh
>knocking on our servers:
>
># Let's see if we can curb SSH attacks.
>-A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
>
>-A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --rcheck
>--seconds 120 --hitcount 2 -j LOG  -log-prefix "SSH REJECT: "
>
>-A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --rcheck
>--seconds 120 --hitcount 2 -j REJECT --reject-with tcp-reset
>
>
>    This works great...EXCEPT it also blocks our own access to the
>servers if we need to get on them in a short amount of time (less than
>120 seconds).  So how can I still implement the above blocking, but
>allow anything from our different subnets (we have 4) come through
>without going through that block routine?

I use pam_recent, from <http://snafu.priv.at/mystuff/recent-plus-pam.html>
, to remove successful logins from the sshattack list.  As I have
additional delays for the persistent attacker, it's really important to
remove the successful logins.

My rules actually cover the range 21:22 to protect both FTP and SSH.  I use
ip_conntrack_ftp, set as an entry in the IPTABLES_MODULES line in
/etc/sysconfig/iptables-config.
-- 
____________________________________________________________________
TonyN.:'                       <mailto:tonynelson@xxxxxxxxxxxxxxxxx>
      '                              <http://www.georgeanelson.com/>


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux