[ILUG] SSH dictionary attacks.

[Niall Donegan]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Aine Douglas wrote:
> Hi Guys,
> 
> I'm getting sick of seeing log entries for SSH dictionary attacks, the
> latest coming in the middle of me watching a live log while trying to
> solve a problem.

I'm using the following in the my firewall script to sort the problem:

# Rules to stop ssh brute force attacks
iptables -N SSH_WHITELIST
iptables -A SSH_WHITELIST -s whitelisted_ip1 -m recent --remove --name
SSH -j ACCEPT
iptables -A SSH_WHITELIST -s whitelisted_ip2 -m recent --remove --name
SSH -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
- --name SSH
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_WHITELIST
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent
- --update --seconds 60 --hitcount 4 --rttl --name SSH -j ULOG
- --ulog-prefix SSH_brute_force
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent
- --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
iptables -A INPUT -p tcp --destination-port 22 -i eth0 -j ACCEPT

What this does is block for 60secs anyone who makes three invalid
attempts to log in via ssh. The whitelisted ips are exempt from this rule.

Since I started using this, the number of dictionary attacks has gone
down massively. I usually see 3 or 6 entries from 1 or 2 ips every
morning, and that's it.

- --
Niall Donegan
niall\at\moybella\dot\net
Public-Key: http://moybella.net/~niall/public.gpg
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFE7D/utYqd1KeuQA8RAjolAJ43RhbW74FpwvabN2+DyFvJnzRCdgCfbAV0
G/D4HYdOWzIP1VNotQPEKco=
=eLmr
-----END PGP SIGNATURE-----