From: Patrick Nelson <pnelson@neatech.com>
To: Georgi Alexandrov <tehlists@hotpop.com>
Cc: netfilter@lists.netfilter.org
Subject: Re: SSH Brute force attacks
Date: Sun, 15 May 2005 13:12:36 -0700 [thread overview]
Message-ID: <4287AD34.8010908@neatech.com> (raw)
In-Reply-To: <4285A29C.1020200@hotpop.com>
Georgi Alexandrov wrote:
> Jason Opperisano wrote:
>
>> On Wed, May 11, 2005 at 03:30:16PM -0400, Pete Toscano wrote:
>>
>>
>>> Freaky. My output is the same as yours with the exception of the
>>> 1.2.11
>>> string.
>>>
>>> recent v1.2.11 options:
>>> <snip same stuff that you have>
>>> ipt_recent v0.3.1: Stephen Frost <sfrost@snowman.net>.
>>> http://snowman.net/projects/ipt_recent/
>>>
>>> I'm a little confused about the difference between "recent v1.2.11" and
>>> "ipt_recent v0.3.1" Is one a kernel component and the other the
>>> userspace part?
>>>
>>
>>
>> yes, ipt_recent == kernel module. the 1.2.11 is the version of the
>> iptables userspace utility.
>>
>>
>>
>>> I'm also a little confused about p-o-m. Is this something I can apply
>>> without recompiling my (modular) kernel?
>>
>>
>> no.
>>
>>
> I don't agree Jason. You can compile only the needed modules.
> Here's a tutorial (in bulgarian sorry, but you can get the idea from
> the comments/commands) how to do that with fedora core 3:
> http://hardtrance.blogspot.com/2005/04/fedora-core-3-patch-o-matic-ipttimeko.html
>
>
>>
>>
>>> Are there any good docs on how
>>> to use p-o-m? I didn't see any immediately obvious on the netfilter
>>> site and the p-o-m section seems to end mid-
>>>
>>
>>
>> basic recipe:
>>
>> - download/extract kernel src
>> - download/extract iptables src
>> - download/extract p-o-m
>> - apply patches from p-o-m
>> - recompile kernel
>> - recompile iptables
>> - reboot, rinse, repeat.
>>
>> -j
>>
>> --
>> "Stewie: Soooo Broccoli, mother says you're very good for me. But I'm
>> afraid I'm no good for you."
>> --Family Guy
>>
>>
>>
>>
> regards,
> Georgi Alexandrov
>
As I read through the link of hardtrance.blogspot.com and I was
wondering if anyone has rebuilt the RPM so I can try this. I am getting
inundated with SSH hits and I would love to try Grant's Method. But we
do not do Kernel building. Is there anyway Grant's method can be tried
without rebuilding the Kernel and IPTables. It seems that:
iptables -A SSH_Brute_Force -m recent --name SSH ! --rcheck --seconds 60
-m recent --hitcount 4 --set --name SSH -j RETURN
is a integral part of his method. I have the same output to the command
iptables -m recent -h as others here:
<snip>
recent v1.2.11 options:
[!] --set Add source address to list, always matches.
[!] --rcheck Match if source address in list.
[!] --update Match if source address in list, also
update last-seen time.
[!] --remove Match if source address in list, also
removes that address from list.
--seconds seconds For check and update commands above.
Specifies that the match will only
occur if source address last seen within the last 'seconds' seconds.
--hitcount hits For check and update commands above.
Specifies that the match will only
occur if source address seen hits times.
<snip>
And I get the same output from Grant's recent command of:
iptables v1.2.11: Unknown arg `4'
Try `iptables -h' or 'iptables --help' for more information.
Is there a way to do this without doing Grant's "-m recent" step and the
recompiling thing? Or some work around? I really want to do tar
pitting of these SSH brute force losers.
Thank!
next prev parent reply other threads:[~2005-05-15 20:12 UTC|newest]
Thread overview: 82+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-05-06 15:57 SSH Brute force attacks Brent Clark
2005-05-06 16:40 ` Mogens Valentin
2005-05-06 19:29 ` R. DuFresne
2005-05-07 5:14 ` Taylor, Grant
2005-05-10 14:01 ` Eric Wood
2005-05-11 12:35 ` Brent Clark
2005-05-11 18:21 ` Taylor, Grant
2005-05-11 19:04 ` Pete Toscano
2005-05-11 19:15 ` Taylor, Grant
2005-05-11 19:30 ` Pete Toscano
2005-05-11 20:34 ` Jason Opperisano
2005-05-13 21:31 ` okay, I admit confusion here; R. DuFresne
2005-05-13 21:55 ` Jason Opperisano
2005-05-16 17:40 ` R. DuFresne
2005-05-16 20:55 ` Taylor, Grant
2005-05-16 21:05 ` Taylor, Grant
2005-05-14 7:02 ` SSH Brute force attacks Georgi Alexandrov
2005-05-14 15:47 ` Jason Opperisano
2005-05-15 20:12 ` Patrick Nelson [this message]
2005-05-17 0:49 ` Charlie Brady
2005-05-14 9:08 ` Łukasz Hejnak
2005-05-14 19:08 ` Taylor, Grant
2005-05-16 8:16 ` Łukasz Hejnak
2005-05-17 1:05 ` Charlie Brady
2005-05-17 5:00 ` Łukasz Hejnak
2005-05-17 5:19 ` Łukasz Hejnak
[not found] ` <42898402.10507@eccotours.dyndns.org>
2005-05-17 12:44 ` Łukasz Hejnak
2005-05-17 13:20 ` Brent Clark
2005-05-17 13:36 ` Sadus .
2005-05-17 16:06 ` Łukasz Hejnak
2005-05-17 15:21 ` Taylor, Grant
2005-05-18 12:39 ` Brent Clark
2005-05-19 4:55 ` Taylor, Grant
2005-05-19 9:05 ` Brent Clark
2005-05-19 14:39 ` Taylor, Grant
2005-05-20 13:01 ` Brent Clark
2005-05-20 14:53 ` Taylor, Grant
2005-05-23 16:31 ` Brent Clark
2005-06-02 16:13 ` Sadus .
2005-06-02 16:43 ` Taylor, Grant
2005-06-02 19:18 ` Sadus .
2005-06-13 14:39 ` Taylor, Grant
2005-06-13 16:17 ` Patrick Nelson
2005-06-13 16:27 ` /dev/rob0
2005-06-13 19:00 ` R. DuFresne
2005-05-18 16:54 ` Jim Miller
2005-05-18 17:51 ` Łukasz Hejnak
2005-05-19 2:09 ` Taylor, Grant
2005-05-21 8:00 ` Пётр Волков Александрович
2005-05-21 22:37 ` Taylor, Grant
2005-05-22 7:11 ` Пётр Волков Александрович
2005-05-22 10:09 ` Marius Mertens
2005-05-22 10:57 ` Łukasz Hejnak
2005-05-23 16:14 ` Taylor, Grant
2005-05-17 6:55 ` Taylor, Grant
[not found] ` <1116333615.24331.4.camel@debianbox>
2005-05-17 15:25 ` Taylor, Grant
2005-05-23 16:53 ` Taylor, Grant
2005-05-24 16:19 ` Marius Mertens
2005-05-25 5:35 ` Brent Clark
2005-05-25 8:48 ` Marius Mertens
2005-05-25 18:10 ` Taylor, Grant
2005-05-26 11:17 ` Brent Clark
2005-05-31 4:12 ` Taylor, Grant
2005-05-31 10:06 ` Brent Clark
2005-05-31 14:17 ` Taylor, Grant
2005-05-28 23:24 ` Sebastian Siewior
2005-05-29 1:01 ` Taylor, Grant
2005-05-07 5:32 ` Taylor, Grant
2005-05-08 15:20 ` Alistair Tonner
2005-05-08 18:51 ` Dwayne Hottinger
2005-05-08 22:57 ` Alexander Samad
2005-05-09 5:41 ` Taylor, Grant
2005-05-09 5:46 ` Taylor, Grant
2005-06-02 18:26 ` SSH Brute force attacks - Script version 1.0 Taylor, Grant
2005-07-25 19:41 ` Steven M Campbell
2005-07-26 6:18 ` Jan Engelhardt
-- strict thread matches above, loose matches on Subject: below --
2005-05-06 22:03 SSH Brute force attacks Gary W. Smith
2005-05-11 13:20 Alireza Yazdani
2005-05-11 19:49 zeus
2005-05-19 14:48 info
2005-05-19 15:01 ` Andrew Schulman
2005-05-19 15:31 info
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4287AD34.8010908@neatech.com \
--to=pnelson@neatech.com \
--cc=netfilter@lists.netfilter.org \
--cc=tehlists@hotpop.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.