Re: SSH Brute force attacks

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Taylor, Grant" <gtaylor@riverviewtech.net>
To: iptables <netfilter@lists.netfilter.org>
Subject: Re: SSH Brute force attacks
Date: Sat, 07 May 2005 00:32:28 -0500	[thread overview]
Message-ID: <427C52EC.6020004@riverviewtech.net> (raw)
In-Reply-To: <427B93EE.3030905@eccotours.dyndns.org>

> One one of my hosted boxes, my logwatch scripts continuously pipe out my 
> ssh and auth log of unsuccessful dictionary attacks
> 
> I came across this link : http://blog.andrew.net.au/2005/02/17/

Not a bad idea, but I think there is a little bit of room for growth.

# Let's jump to the SSH_Brute_Force chain if this is a new connection that is not from my IP address.
# This will prevent processing these rules for non SSH traffic.
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_Brute_Force
# Let's white list some IP addresses.
iptables -A SSH_Brute_Force -s $My_IP_Address -j RETURN
iptables -A SSH_Brute_Force -s $My_Friends_IP_Address -j RETURN
iptables -A SSH_Brute_Force -s $Any_other_IP_that_I_want_to_white list -j RETURN
# If there have not been 4 NEW connection attempts from this source IP address in the last 60 seconds let's return to the INPUT chain.
iptables -A SSH_Brute_Force -m recent --name SSH ! --rcheck --seconds 60 -m recent --hitcount 4 --set --name SSH -j RETURN
# Well, the NEW connection has been seen so let's update the SSH recent list.
iptables -A SSH_Brute_Force -m recent --name SSH --update
# I like to log on a line by it's self so I don't have to remember to do it on my last line prior to the end of my script.
iptables -A SSH_Brute_Force -j LOG --log-prefix "SSH Brute Force Attempt:  "
# Let's send the person that is trying to SSH in to us to the TARPIT target and make them think twice before they try again.
# TARPIT will force the site that is SSHing in to us to timeout the connection.  Sure stick you hand in my port, I'll grab hold of it and not let go,
# you will have to chew your arm off and grow a new one and try again.  I'll hold your new arm again and again and again and...  This should slow you down.
iptables -A SSH_Brute_Force -j TARPIT
# I can be a mean vindictive SoB (Sweet Old Buzzard.  NOT!)

I tried putting in comments to explain the logic of what is going on, if you have any questions please let me know.

Grant. . . .

next prev parent reply	other threads:[~2005-05-07  5:32 UTC|newest]

Thread overview: 82+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-05-06 15:57 SSH Brute force attacks Brent Clark
2005-05-06 16:40 ` Mogens Valentin
2005-05-06 19:29 ` R. DuFresne
2005-05-07  5:14 ` Taylor, Grant
2005-05-10 14:01   ` Eric Wood
2005-05-11 12:35   ` Brent Clark
2005-05-11 18:21     ` Taylor, Grant
2005-05-11 19:04       ` Pete Toscano
2005-05-11 19:15         ` Taylor, Grant
2005-05-11 19:30           ` Pete Toscano
2005-05-11 20:34             ` Jason Opperisano
2005-05-13 21:31               ` okay, I admit confusion here; R. DuFresne
2005-05-13 21:55                 ` Jason Opperisano
2005-05-16 17:40                   ` R. DuFresne
2005-05-16 20:55                     ` Taylor, Grant
2005-05-16 21:05                 ` Taylor, Grant
2005-05-14  7:02               ` SSH Brute force attacks Georgi Alexandrov
2005-05-14 15:47                 ` Jason Opperisano
2005-05-15 20:12                 ` Patrick Nelson
2005-05-17  0:49                   ` Charlie Brady
2005-05-14  9:08       ` Łukasz Hejnak
2005-05-14 19:08         ` Taylor, Grant
2005-05-16  8:16           ` Łukasz Hejnak
2005-05-17  1:05             ` Charlie Brady
2005-05-17  5:00               ` Łukasz Hejnak
2005-05-17  5:19                 ` Łukasz Hejnak
     [not found]                   ` <42898402.10507@eccotours.dyndns.org>
2005-05-17 12:44                     ` Łukasz Hejnak
2005-05-17 13:20                       ` Brent Clark
2005-05-17 13:36                         ` Sadus .
2005-05-17 16:06                           ` Łukasz Hejnak
2005-05-17 15:21                         ` Taylor, Grant
2005-05-18 12:39                       ` Brent Clark
2005-05-19  4:55                         ` Taylor, Grant
2005-05-19  9:05                           ` Brent Clark
2005-05-19 14:39                             ` Taylor, Grant
2005-05-20 13:01                               ` Brent Clark
2005-05-20 14:53                                 ` Taylor, Grant
2005-05-23 16:31                                   ` Brent Clark
2005-06-02 16:13                                     ` Sadus .
2005-06-02 16:43                                       ` Taylor, Grant
2005-06-02 19:18                                         ` Sadus .
2005-06-13 14:39                                           ` Taylor, Grant
2005-06-13 16:17                                             ` Patrick Nelson
2005-06-13 16:27                                             ` /dev/rob0
2005-06-13 19:00                                             ` R. DuFresne
2005-05-18 16:54                       ` Jim Miller
2005-05-18 17:51                         ` Łukasz Hejnak
2005-05-19  2:09                         ` Taylor, Grant
2005-05-21  8:00                       ` Пётр Волков Александрович
2005-05-21 22:37                         ` Taylor, Grant
2005-05-22  7:11                           ` Пётр Волков Александрович
2005-05-22 10:09                           ` Marius Mertens
2005-05-22 10:57                             ` Łukasz Hejnak
2005-05-23 16:14                               ` Taylor, Grant
2005-05-17  6:55               ` Taylor, Grant
     [not found]                 ` <1116333615.24331.4.camel@debianbox>
2005-05-17 15:25                   ` Taylor, Grant
2005-05-23 16:53               ` Taylor, Grant
2005-05-24 16:19                 ` Marius Mertens
2005-05-25  5:35                 ` Brent Clark
2005-05-25  8:48                   ` Marius Mertens
2005-05-25 18:10                   ` Taylor, Grant
2005-05-26 11:17                     ` Brent Clark
2005-05-31  4:12                       ` Taylor, Grant
2005-05-31 10:06                         ` Brent Clark
2005-05-31 14:17                           ` Taylor, Grant
2005-05-28 23:24                 ` Sebastian Siewior
2005-05-29  1:01                   ` Taylor, Grant
2005-05-07  5:32 ` Taylor, Grant [this message]
2005-05-08 15:20   ` Alistair Tonner
2005-05-08 18:51     ` Dwayne Hottinger
2005-05-08 22:57       ` Alexander Samad
2005-05-09  5:41         ` Taylor, Grant
2005-05-09  5:46     ` Taylor, Grant
2005-06-02 18:26 ` SSH Brute force attacks - Script version 1.0 Taylor, Grant
2005-07-25 19:41   ` Steven M Campbell
2005-07-26  6:18     ` Jan Engelhardt
  -- strict thread matches above, loose matches on Subject: below --
2005-05-06 22:03 SSH Brute force attacks Gary W. Smith
2005-05-11 13:20 Alireza Yazdani
2005-05-11 19:49 zeus
2005-05-19 14:48 info
2005-05-19 15:01 ` Andrew Schulman
2005-05-19 15:31 info

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=427C52EC.6020004@riverviewtech.net \
    --to=gtaylor@riverviewtech.net \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.