[WBEL-users] kill ssh dictionary attacks
Vic
whitebox at beer.org.uk
Thu Mar 23 08:24:10 CST 2006
> It has always annoyed the cr at p out of me each morning as I go through the
> logs on my linux servers to see attempted ssh connections using every
> username under the sun as some person tries to guess my passwords
I've just taken action against exactly this - and rather successfully, if
I do say so myself :-)
I've used an iptables script to rate-limit ssh connections. I've created a
new chain called "ssh" , which is run for any new port 22 connections :-
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 22 --state NEW -j ssh
This chain firstly whitelists the IPs I know about & want unrestricted :-
-A ssh -s 213.232.80.166 -j ACCEPT
(etc.)
Then I rate-limit anyone else :-
-A ssh -p tcp -m tcp -m limit -m state --limit 2/minute --limit-burst 2
--state NEW -j ACCEPT
-A ssh -j DROP
(That's 2 lines - it might wrap somewhere in the email chain)
The upshot of this is that anyone not specifically whitelisted is allowed
to connect twice per minute to the ssh port; any more than this, and the
packets get dropped.
I built this on a server that was getting approx 3000 ssh attacks a day.
It now gets up to ten :-)
HTH
Vic.
More information about the Whitebox-users
mailing list