* Preventing login scripts with recent module
@ 2006-07-06 6:42 Stephen Gray
2006-07-06 8:12 ` Rob Sterenborg
0 siblings, 1 reply; 2+ messages in thread
From: Stephen Gray @ 2006-07-06 6:42 UTC (permalink / raw)
To: netfilter
Hi everyone,
I'm trying to set up iptables to drop packets from people running
scripts that make repeated attempts to login using different
usernames/passwords. I'm new to iptables so would appreciate some help.
I found the following firewall rules somewhere which are supposed to
drop packets from people who connect 4 or more attempts withing 5
minutes (from /etc/sysconfig/iptables):
[0:0] -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m
recent --set --name SSH_RECENT --rsource
[0:0] -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m
recent --update --seconds 300 --hitcount 4 --name SSH_RECENT --rsource
-j DROP
For some reason this worked for a day or so (4 attempts within 5 mins
and I'm locked out for 5 mins) then inexplicably stopped working. I now
find that I'm locked out straight away - even if this is my first
attempt to connect for 24 hours. If I remove the above lines from the
iptables file and restart I can log in, if I add them back in I'm locked
out.
As far as I can tell from the docs the above rules are correct. Can
anyone tell me what the problem might be?
Thanks very much,
Steve
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Preventing login scripts with recent module
2006-07-06 6:42 Preventing login scripts with recent module Stephen Gray
@ 2006-07-06 8:12 ` Rob Sterenborg
0 siblings, 0 replies; 2+ messages in thread
From: Rob Sterenborg @ 2006-07-06 8:12 UTC (permalink / raw)
To: netfilter
On Thu, July 6, 2006 08:42, Stephen Gray wrote:
> Hi everyone,
>
>
> I'm trying to set up iptables to drop packets from people running
> scripts that make repeated attempts to login using different
> usernames/passwords. I'm new to iptables so would appreciate some help.
>
> I found the following firewall rules somewhere which are supposed to
> drop packets from people who connect 4 or more attempts withing 5 minutes (from
> /etc/sysconfig/iptables):
>
>
> [0:0] -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m
> recent --set --name SSH_RECENT --rsource
> [0:0] -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m
> recent --update --seconds 300 --hitcount 4 --name SSH_RECENT --rsource -j DROP
>
>
> For some reason this worked for a day or so (4 attempts within 5 mins
> and I'm locked out for 5 mins) then inexplicably stopped working. I now find
> that I'm locked out straight away - even if this is my first attempt to
> connect for 24 hours. If I remove the above lines from the iptables file and
> restart I can log in, if I add them back in I'm locked out.
>
> As far as I can tell from the docs the above rules are correct. Can
> anyone tell me what the problem might be?
Can't help you with that however this thread may be of help (it's quite a long
thread called "SSH Brute force attacks"):
http://lists.netfilter.org/pipermail/netfilter/2005-May/060299.html
Also, if you have only a few known source IP's then you can restrict acces to
port 22/tcp to just those IP's: no need for this recent hassle then. Or you
can configure your SSH server to only use public-/private-key authentication.
Gr,
Rob
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2006-07-06 8:12 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-07-06 6:42 Preventing login scripts with recent module Stephen Gray
2006-07-06 8:12 ` Rob Sterenborg
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.