On Sat, Apr 15, 2006 at 12:42:15PM -0400, sberaud wrote:
>
> Adding the drop rule was made easy with Webmin, once I knew what I had
> to do.
>
Okay, so here's what I do. I use ipt_recent, which allows you to do
<something> if someone tries to connect to you at a fairly high rate.
This stops the brute force ssh attacks in their tracks.
# Rate limit SSH -- avoid dictionary attacks
iptables -A INPUT -p tcp --dport 22 -i $extdev -m state --state NEW -m recent \
--set
iptables -A INPUT -p tcp --dport 22 -i $extdev -m state --state NEW -m recent \
--update --seconds 60 --hitcount 4 -j LOG
iptables -A INPUT -p tcp --dport 22 -i $extdev -m state --state NEW -m recent \
--update --seconds 60 --hitcount 4 -j DROP
- so rule one sets things up for me.
- Rule two says "if you get four connections to TCP port 22 in a 60 second
window then log it"
- Rule three says "if you get four connections to TCP port 22 in a 60 second
window then drop the packet."
tada. They get three cracks at it and then it silently fails on them.
The only annoying thing is that if your network goes down and you have
a few scripts that connect over ssh to the server then you may firewall
outself out for a few minutes when the network returns.
mh
--
Martin Hicks || mort [ at ] bork [ dot ] org || PGP/GnuPG: 0x4C7F2BEE