From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Lpct" Subject: Re: SSHBrute Force: False Postives Date: Thu, 1 Feb 2007 1:28:31 -0000 Message-ID: <20070201042831.DD4F532A702@linux.pctools.cl> Reply-To: Lpct Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; charset="us-ascii"; To: netfilter@lists.netfilter.org --------- Mensagem Original -------- De: Dominic Caputo Para: netfilter@lists.netfilter.org Asunto: SSHBrute Force: False Postives Fecha: 01/02/07 02:30 > > I have been reading up on iptables and i am by no means an expert but i have > a problem with SSH brute force attacks on port 22. I am currently using the > config below to minimise these threats but i am constantly getting fals= e > positives (logs actually say that my connection has been flagged as a brute > force connection even on the on the first attempt-but then on others it > connects first time with no problems) > > #SSH Brute-Force Scan Check > $IPTABLES -N SSH_Brute_Force > $IPTABLES -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --n= ame > SSH --set --rsource -j SSH_Brute_Force > $IPTABLES -A SSH_Brute_Force -m recent ! --rcheck --seconds 60 --hitcou= nt > 4 --name SSH --rsource -j ACCEPT > $IPTABLES -A SSH_Brute_Force -j LOG --log-level info --log-prefix "SSH Brute > Force Attempt: " > $IPTABLES -A SSH_Brute_Force -p tcp -j DROP > > Any help with this problem would be great > > Dominic > .... you can start changing the ssh port from 22 to xxx... this doesnt so= lve your problem, but this mesure minimize this kind of attack like a 70% ________________________________________________ linux.pctools.cl