[WBEL-users] kill ssh dictionary attacks

Josh whitebox-linux at techico.net
Thu Mar 23 11:23:48 CST 2006 

Morning,

I know this is also off topic but I agree it's a good general topic.

I personally prefer something that uses less resources and is 99% as  
effective.  Add the following two lines to iptables: (each only one  
line)

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m  
recent --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m  
recent --update --seconds 60 --hitcount 6 -j DROP

It simply delays someone trying to connect more than 5 times.  Like I  
stated earlier, 99% of the time you see in the logs 5 connection  
attempts and then nothing more from that IP.  Also, this is a  
temporary ban so if it is a user who has forgotten their password you  
won't be getting a support call!

Hope that helps someone as much as it's helped me,

Josh

Quoting Graham Waring <liverbird89 at hotmail.com>:

> G'day everyone,
>
> Not just for whitebox but an email to pass on a link to a pretty cool
> python app for many linux's.  Around this time last year this list was
> discussing this very issue and I hope this comes in handy for at least
> one of you.  It has always annoyed the cr at p out of me each morning as I
> go through the logs on my linux servers to see attempted ssh
> connections using every username under the sun as some person tries to
> guess my passwords (dream on) and "own" my servers.  I have used port
> knocking which is really good and works well, but I ssh to "lots" of
> remote linux boxes...and I just want to ssh in, sometimes as quick as
> possible without executing a port knock sequence.  I use it on
> whitebox, centos, suse, debian and aurora with no problems.  It just
> works and when I see "connection refused" in the logs, I declare out
> loud how good it is (even if nobody is listening).  Anyway, check out:
> http://www.howtoforge.com/preventing_ssh_dictionary_attacks_with_denyhosts
> I hope this is of some use to those who are suffering from the over
> night ssh attempts.
> Sorry if this list is supposed to be whitebox only related chat, I am
> just passing on something that may help.
>
> Cheers
> Graham
>
>
> _______________________________________________
> Whitebox-users mailing list
> Whitebox-users at beau.org
> http://beau.org/mailman/listinfo/whitebox-users

More information about the Whitebox-users mailing list