Ruminations on an SSH attack

Kevin D. Clark kevin_d_clark at comcast.net
Mon Dec 19 14:36:00 EST 2005


Bruce Dawson writes:

> But I guess a better place to stop them would be in tcpwrappers or
> even the firewall, but I haven't figured out a way to wedge something
> like RBL into tcpwrappers or iptables/ipchains. Any ideas?

Not entirely what you are looking for, but I find the following
iptables rules to useful:

iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name ssh --set

iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name ssh --update --seconds 60 --hitcount 4 -j LOG --log-level WARN --log-prefix SSH-TOO-FAST

iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name ssh --rcheck --seconds 60 --hitcount 4 -j DROP


Basically, if a given IP attempts to connect to your ssh port >4 times
in a given minute, it gets dropped for a while.  More documentation
here:

  http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO-3.html#ss3.16


I've deployed this scheme on a couple of machines with great success.
In my case, I had to help maintain machines that were subjected to
dictionary attacks (hundreds of attempts per minute), but were
accessed legitimately by folks who I couldn't convince to use specific
IP address (hosts.allow not possible), ssh keys, or even very good
passwords (this was unfortunate but that was reality).

The kiddies could still attack, but it was like wading through
molasses for them.  Boo-hoo!

Regards,

--kevin

PS  Credit to where it is due.  I first heard this idea from dsr.

-- 
GnuPG ID: B280F24E




More information about the gnhlug-discuss mailing list