From: Patrick Nelson <pnelson@neatech.com>
To: Georgi Alexandrov <tehlists@hotpop.com>
Cc: netfilter@lists.netfilter.org
Subject: Re: SSH Brute force attacks
Date: Sun, 15 May 2005 13:12:36 -0700 [thread overview]
Message-ID: <4287AD34.8010908@neatech.com> (raw)
In-Reply-To: <4285A29C.1020200@hotpop.com>
Georgi Alexandrov wrote:
> Jason Opperisano wrote:
>
>> On Wed, May 11, 2005 at 03:30:16PM -0400, Pete Toscano wrote:
>>
>>
>>> Freaky. My output is the same as yours with the exception of the
>>> 1.2.11
>>> string.
>>>
>>> recent v1.2.11 options:
>>> <snip same stuff that you have>
>>> ipt_recent v0.3.1: Stephen Frost <sfrost@snowman.net>.
>>> http://snowman.net/projects/ipt_recent/
>>>
>>> I'm a little confused about the difference between "recent v1.2.11" and
>>> "ipt_recent v0.3.1" Is one a kernel component and the other the
>>> userspace part?
>>>
>>
>>
>> yes, ipt_recent == kernel module. the 1.2.11 is the version of the
>> iptables userspace utility.
>>
>>
>>
>>> I'm also a little confused about p-o-m. Is this something I can apply
>>> without recompiling my (modular) kernel?
>>
>>
>> no.
>>
>>
> I don't agree Jason. You can compile only the needed modules.
> Here's a tutorial (in bulgarian sorry, but you can get the idea from
> the comments/commands) how to do that with fedora core 3:
> http://hardtrance.blogspot.com/2005/04/fedora-core-3-patch-o-matic-ipttimeko.html
>
>
>>
>>
>>> Are there any good docs on how
>>> to use p-o-m? I didn't see any immediately obvious on the netfilter
>>> site and the p-o-m section seems to end mid-
>>>
>>
>>
>> basic recipe:
>>
>> - download/extract kernel src
>> - download/extract iptables src
>> - download/extract p-o-m
>> - apply patches from p-o-m
>> - recompile kernel
>> - recompile iptables
>> - reboot, rinse, repeat.
>>
>> -j
>>
>> --
>> "Stewie: Soooo Broccoli, mother says you're very good for me. But I'm
>> afraid I'm no good for you."
>> --Family Guy
>>
>>
>>
>>
> regards,
> Georgi Alexandrov
>
As I read through the link of hardtrance.blogspot.com and I was
wondering if anyone has rebuilt the RPM so I can try this. I am getting
inundated with SSH hits and I would love to try Grant's Method. But we
do not do Kernel building. Is there anyway Grant's method can be tried
without rebuilding the Kernel and IPTables. It seems that:
iptables -A SSH_Brute_Force -m recent --name SSH ! --rcheck --seconds 60
-m recent --hitcount 4 --set --name SSH -j RETURN
is a integral part of his method. I have the same output to the command
iptables -m recent -h as others here:
<snip>
recent v1.2.11 options:
[!] --set Add source address to list, always matches.
[!] --rcheck Match if source address in list.
[!] --update Match if source address in list, also
update last-seen time.
[!] --remove Match if source address in list, also
removes that address from list.
--seconds seconds For check and update commands above.
Specifies that the match will only
occur if source address last seen within the last 'seconds' seconds.
--hitcount hits For check and update commands above.
Specifies that the match will only
occur if source address seen hits times.
<snip>
And I get the same output from Grant's recent command of:
iptables v1.2.11: Unknown arg `4'
Try `iptables -h' or 'iptables --help' for more information.
Is there a way to do this without doing Grant's "-m recent" step and the
recompiling thing? Or some work around? I really want to do tar
pitting of these SSH brute force losers.
Thank!
next prev parent reply other threads:[~2005-05-15 20:12 UTC|newest]
Thread overview: 82+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-05-06 15:57 SSH Brute force attacks Brent Clark
2005-05-06 16:40 ` Mogens Valentin
2005-05-06 19:29 ` R. DuFresne
2005-05-07 5:14 ` Taylor, Grant
2005-05-10 14:01 ` Eric Wood
2005-05-11 12:35 ` Brent Clark
2005-05-11 18:21 ` Taylor, Grant
2005-05-11 19:04 ` Pete Toscano
2005-05-11 19:15 ` Taylor, Grant
2005-05-11 19:30 ` Pete Toscano
2005-05-11 20:34 ` Jason Opperisano
2005-05-13 21:31 ` okay, I admit confusion here; R. DuFresne
2005-05-13 21:55 ` Jason Opperisano
2005-05-16 17:40 ` R. DuFresne
2005-05-16 20:55 ` Taylor, Grant
2005-05-16 21:05 ` Taylor, Grant
2005-05-14 7:02 ` SSH Brute force attacks Georgi Alexandrov
2005-05-14 15:47 ` Jason Opperisano
2005-05-15 20:12 ` Patrick Nelson [this message]
2005-05-17 0:49 ` Charlie Brady
2005-05-14 9:08 ` Łukasz Hejnak
2005-05-14 19:08 ` Taylor, Grant
2005-05-16 8:16 ` Łukasz Hejnak
2005-05-17 1:05 ` Charlie Brady
2005-05-17 5:00 ` Łukasz Hejnak
2005-05-17 5:19 ` Łukasz Hejnak
[not found] ` <42898402.10507@eccotours.dyndns.org>
2005-05-17 12:44 ` Łukasz Hejnak
2005-05-17 13:20 ` Brent Clark
2005-05-17 13:36 ` Sadus .
2005-05-17 16:06 ` Łukasz Hejnak
2005-05-17 15:21 ` Taylor, Grant
2005-05-18 12:39 ` Brent Clark
2005-05-19 4:55 ` Taylor, Grant
2005-05-19 9:05 ` Brent Clark
2005-05-19 14:39 ` Taylor, Grant
2005-05-20 13:01 ` Brent Clark
2005-05-20 14:53 ` Taylor, Grant
2005-05-23 16:31 ` Brent Clark
2005-06-02 16:13 ` Sadus .
2005-06-02 16:43 ` Taylor, Grant
2005-06-02 19:18 ` Sadus .
2005-06-13 14:39 ` Taylor, Grant
2005-06-13 16:17 ` Patrick Nelson
2005-06-13 16:27 ` /dev/rob0
2005-06-13 19:00 ` R. DuFresne
2005-05-18 16:54 ` Jim Miller
2005-05-18 17:51 ` Łukasz Hejnak
2005-05-19 2:09 ` Taylor, Grant
2005-05-21 8:00 ` Пётр Волков Александрович
2005-05-21 22:37 ` Taylor, Grant
2005-05-22 7:11 ` Пётр Волков Александрович
2005-05-22 10:09 ` Marius Mertens
2005-05-22 10:57 ` Łukasz Hejnak
2005-05-23 16:14 ` Taylor, Grant
2005-05-17 6:55 ` Taylor, Grant
[not found] ` <1116333615.24331.4.camel@debianbox>
2005-05-17 15:25 ` Taylor, Grant
2005-05-23 16:53 ` Taylor, Grant
2005-05-24 16:19 ` Marius Mertens
2005-05-25 5:35 ` Brent Clark
2005-05-25 8:48 ` Marius Mertens
2005-05-25 18:10 ` Taylor, Grant
2005-05-26 11:17 ` Brent Clark
2005-05-31 4:12 ` Taylor, Grant
2005-05-31 10:06 ` Brent Clark
2005-05-31 14:17 ` Taylor, Grant
2005-05-28 23:24 ` Sebastian Siewior
2005-05-29 1:01 ` Taylor, Grant
2005-05-07 5:32 ` Taylor, Grant
2005-05-08 15:20 ` Alistair Tonner
2005-05-08 18:51 ` Dwayne Hottinger
2005-05-08 22:57 ` Alexander Samad
2005-05-09 5:41 ` Taylor, Grant
2005-05-09 5:46 ` Taylor, Grant
2005-06-02 18:26 ` SSH Brute force attacks - Script version 1.0 Taylor, Grant
2005-07-25 19:41 ` Steven M Campbell
2005-07-26 6:18 ` Jan Engelhardt
-- strict thread matches above, loose matches on Subject: below --
2005-05-06 22:03 SSH Brute force attacks Gary W. Smith
2005-05-11 13:20 Alireza Yazdani
2005-05-11 19:49 zeus
2005-05-19 14:48 info
2005-05-19 15:01 ` Andrew Schulman
2005-05-19 15:31 info
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4287AD34.8010908@neatech.com \
--to=pnelson@neatech.com \
--cc=netfilter@lists.netfilter.org \
--cc=tehlists@hotpop.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox