From: Brent Clark <bclark@eccotours.dyndns.org>
To: "Taylor, Grant" <gtaylor@riverviewtech.net>
Cc: netfilter@lists.netfilter.org
Subject: Re: SSH Brute force attacks
Date: Fri, 20 May 2005 15:01:48 +0200 [thread overview]
Message-ID: <428DDFBC.1080905@eccotours.dyndns.org> (raw)
In-Reply-To: <428CA51D.4080206@riverviewtech.net>
Taylor, Grant wrote:
>> I understand what you are saying, but what was hoping for. Was a
>> solution whereby the src ip is not part of my whitelist.
>>
>> For example, I have a dialup account (dynamic ip) at home. If I need
>> to SSH into my linux box from home. I cant because the ip I have been
>> allocted will not be in the whitelist.
>
>
> Can I ask why you would not be able to get in from your dynamic IP at
> home? The rule set will allow (how ever many NEW attempts you
> designate) to connect for a specified number of times in a specified
> amount of time. You don't have to have your dynamic IP in the list as
> any IP will still be able to initiate NEW connections a few times before
> the rule starts TARPITing / DROPing the connection. There is also the
> fact that you could configure your SSH server to listen on a (2nd) port
> at a higher port number that you would know about that most people would
> not. This port would not be processed by this script and thus you would
> be able to connect from anywhere.
Hi all
Below is what I have. I basically copied and pasted the original from
Grant Taylor
So... I cant see why I cant connect from a dynamically assigned ip.
Kind Regards
Brent Clark
===========================================
#!/bin/sh -
IPT=/sbin/iptables
echo 0 > /proc/sys/net/ipv4/ip_dynaddr
echo 0 > /proc/sys/net/ipv4/ip_forward
$IPT --flush
$IPT --flush INPUT #Flush the INPUT chain
$IPT --flush OUTPUT #Flush the OUTPUT chain
$IPT --flush FORWARD #Flush the FORWARD chain
$IPT -t nat --flush #Flush the nat table
$IPT -t mangle --flush #Flush the mangle table
$IPT --delete-chain #Delete any pre-existing chains
$IPT -t nat --delete-chain #Delete any pre-existing chains from nat
table
$IPT -t mangle --delete-chain #Delete any pre-existing chains from the
mangle table
$IPT --policy INPUT DROP #Setting the default policy for INPUT chain
$IPT --policy FORWARD DROP #Setting the default plicy for FORWARD chain
$IPT --policy OUTPUT DROP #Setting the default policy for the
OUTPUT chain
$IPT -t nat --policy PREROUTING ACCEPT
$IPT -t nat --policy OUTPUT ACCEPT
$IPT -t nat --policy POSTROUTING ACCEPT
$IPT -t mangle --policy PREROUTING ACCEPT
$IPT -t mangle --policy POSTROUTING ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
$IPT -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -t filter -A INPUT -m state --state INVALID -j LOG --log-prefix
"INVALID input: " --log-tcp-options --log-ip-options
$IPT -t filter -A INPUT -m state --state INVALID -j DROP
$IPT -t filter -A INPUT -p tcp --dport 113 -j REJECT --reject-with
icmp-host-unreachable
$IPT -t filter -A INPUT -d 217.199.186.255 -j DROP
$IPT -t filter -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
$IPT -t filter -A INPUT -p tcp --dport 20 -m state --state NEW -j ACCEPT
$IPT -t filter -A INPUT -p tcp --dport 21 -m state --state NEW -j ACCEPT
$IPT -t filter -A INPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT
#$IPT -t filter -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
$IPT -N SSH_Brute_Force
#$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -s ! 196.31.9.82
-j SSH_Brute_Force
#$IPT -A SSH_Brute_Force -m recent --set --name SSH
#$IPT -A SSH_Brute_Force -m recent ! --rcheck --name SSH --seconds 60
--hitcount 3 -j RETURN
#$IPT -A SSH_Brute_Force -m recent --name SSH --update
#$IPT -A SSH_Brute_Force -j LOG --log-prefix "SSH Brute Force Attempt: "
#$IPT -A SSH_Brute_Force -j DROP
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_Brute_Force
$IPT -A SSH_Brute_Force -s 196.31.9.82 -j RETURN
$IPT -A SSH_Brute_Force -m recent --set --name SSH --rsource
$IPT -A SSH_Brute_Force -m recent ! --update --seconds 60 --hitcount 8
--name SSH --rsource -j RETURN
$IPT -A SSH_Brute_Force -m recent --update --name SSH --rsource
$IPT -A SSH_Brute_Force -j LOG --log-prefix "SSH Brute Force Attempt: "
$IPT -A SSH_Brute_Force -p tcp -j DROP
$IPT -t filter -A INPUT -p tcp --dport 10000 -m state --state NEW -j ACCEPT
$IPT -t filter -A INPUT -p tcp --dport 135 -j DROP
$IPT -t filter -A INPUT -p tcp --dport 113 -j REJECT --reject-with
icmp-host-unreachable
$IPT -t filter -A INPUT -p icmp --icmp-type source-quench -j ACCEPT
$IPT -t filter -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT
$IPT -t filter -A INPUT -p icmp --icmp-type destination-unreachable -j
ACCEPT
$IPT -t filter -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
$IPT -t filter -A INPUT -p icmp --icmp-type ! echo-request -j LOG
$IPT -t filter -A INPUT -j LOG --log-prefix "[INPUT DROP]: "
--log-tcp-options --log-ip-options
$IPT -t filter -A INPUT -j DROP
$IPT -t filter -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -t filter -A OUTPUT -m state --state INVALID -j LOG --log-prefix
"INVALID output: " --log-tcp-options --log-ip-options
$IPT -t filter -A OUTPUT -m state --state INVALID -j DROP
$IPT -t filter -A OUTPUT -m state --state NEW -j ACCEPT
$IPT -t filter -A OUTPUT -j LOG --log-prefix "[OUTPUT DROP]: "
--log-tcp-options --log-ip-options
$IPT -t filter -A OUTPUT -j DROP
next prev parent reply other threads:[~2005-05-20 13:01 UTC|newest]
Thread overview: 82+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-05-06 15:57 SSH Brute force attacks Brent Clark
2005-05-06 16:40 ` Mogens Valentin
2005-05-06 19:29 ` R. DuFresne
2005-05-07 5:14 ` Taylor, Grant
2005-05-10 14:01 ` Eric Wood
2005-05-11 12:35 ` Brent Clark
2005-05-11 18:21 ` Taylor, Grant
2005-05-11 19:04 ` Pete Toscano
2005-05-11 19:15 ` Taylor, Grant
2005-05-11 19:30 ` Pete Toscano
2005-05-11 20:34 ` Jason Opperisano
2005-05-13 21:31 ` okay, I admit confusion here; R. DuFresne
2005-05-13 21:55 ` Jason Opperisano
2005-05-16 17:40 ` R. DuFresne
2005-05-16 20:55 ` Taylor, Grant
2005-05-16 21:05 ` Taylor, Grant
2005-05-14 7:02 ` SSH Brute force attacks Georgi Alexandrov
2005-05-14 15:47 ` Jason Opperisano
2005-05-15 20:12 ` Patrick Nelson
2005-05-17 0:49 ` Charlie Brady
2005-05-14 9:08 ` Łukasz Hejnak
2005-05-14 19:08 ` Taylor, Grant
2005-05-16 8:16 ` Łukasz Hejnak
2005-05-17 1:05 ` Charlie Brady
2005-05-17 5:00 ` Łukasz Hejnak
2005-05-17 5:19 ` Łukasz Hejnak
[not found] ` <42898402.10507@eccotours.dyndns.org>
2005-05-17 12:44 ` Łukasz Hejnak
2005-05-17 13:20 ` Brent Clark
2005-05-17 13:36 ` Sadus .
2005-05-17 16:06 ` Łukasz Hejnak
2005-05-17 15:21 ` Taylor, Grant
2005-05-18 12:39 ` Brent Clark
2005-05-19 4:55 ` Taylor, Grant
2005-05-19 9:05 ` Brent Clark
2005-05-19 14:39 ` Taylor, Grant
2005-05-20 13:01 ` Brent Clark [this message]
2005-05-20 14:53 ` Taylor, Grant
2005-05-23 16:31 ` Brent Clark
2005-06-02 16:13 ` Sadus .
2005-06-02 16:43 ` Taylor, Grant
2005-06-02 19:18 ` Sadus .
2005-06-13 14:39 ` Taylor, Grant
2005-06-13 16:17 ` Patrick Nelson
2005-06-13 16:27 ` /dev/rob0
2005-06-13 19:00 ` R. DuFresne
2005-05-18 16:54 ` Jim Miller
2005-05-18 17:51 ` Łukasz Hejnak
2005-05-19 2:09 ` Taylor, Grant
2005-05-21 8:00 ` Пётр Волков Александрович
2005-05-21 22:37 ` Taylor, Grant
2005-05-22 7:11 ` Пётр Волков Александрович
2005-05-22 10:09 ` Marius Mertens
2005-05-22 10:57 ` Łukasz Hejnak
2005-05-23 16:14 ` Taylor, Grant
2005-05-17 6:55 ` Taylor, Grant
[not found] ` <1116333615.24331.4.camel@debianbox>
2005-05-17 15:25 ` Taylor, Grant
2005-05-23 16:53 ` Taylor, Grant
2005-05-24 16:19 ` Marius Mertens
2005-05-25 5:35 ` Brent Clark
2005-05-25 8:48 ` Marius Mertens
2005-05-25 18:10 ` Taylor, Grant
2005-05-26 11:17 ` Brent Clark
2005-05-31 4:12 ` Taylor, Grant
2005-05-31 10:06 ` Brent Clark
2005-05-31 14:17 ` Taylor, Grant
2005-05-28 23:24 ` Sebastian Siewior
2005-05-29 1:01 ` Taylor, Grant
2005-05-07 5:32 ` Taylor, Grant
2005-05-08 15:20 ` Alistair Tonner
2005-05-08 18:51 ` Dwayne Hottinger
2005-05-08 22:57 ` Alexander Samad
2005-05-09 5:41 ` Taylor, Grant
2005-05-09 5:46 ` Taylor, Grant
2005-06-02 18:26 ` SSH Brute force attacks - Script version 1.0 Taylor, Grant
2005-07-25 19:41 ` Steven M Campbell
2005-07-26 6:18 ` Jan Engelhardt
-- strict thread matches above, loose matches on Subject: below --
2005-05-06 22:03 SSH Brute force attacks Gary W. Smith
2005-05-11 13:20 Alireza Yazdani
2005-05-11 19:49 zeus
2005-05-19 14:48 info
2005-05-19 15:01 ` Andrew Schulman
2005-05-19 15:31 info
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=428DDFBC.1080905@eccotours.dyndns.org \
--to=bclark@eccotours.dyndns.org \
--cc=gtaylor@riverviewtech.net \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox