Charles Ballard wrote:
*** For details on how to be removed from this list visit the *** *** CCP4 home page http://www.ccp4.ac.uk ***Dear All,we have been experiencing a large number of ssh attacks on the machine supporting the ccp4 webserver. At this time it is holding, but I cannot guarantee it.For you information the offending host is 202.108.40.109 which has been active for this sort of thing for about 12 months. Charles Ballard CCP4
On my RHEL4-clones I replace the usual line in /etc/syconfig/iptables-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
with-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport ssh -m recent --name SSH --update --seconds 60 -j DROP -A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport ssh -m recent --name SSH --set -j ACCEPT
This works "out of the box" on RHEL4. What it does is that it reduces the rate of ssh login attempts per IP to one per minute; an ongoing unsuccessful attempt essentially blocks the ssh port for this IP. The net result is that "ssh attacks" are blocked after one trial, but normal usage by remote users is (transparently) possible - however if they make a typo during logging in by ssh, they must wait one minute until the next attempt (of course this could be adjusted down to 20 seconds or so).
For RHEL3 (-clones) there is a iptables-1.2.11-3.1.1.ker.rhel3.i386.rpm by Milan Kerslager which has the ipt_recent module that this technique requires.
For SuSe google for "iptables recent suse" - the first hit gives the analogous recipe.
HTH, Kay -- Kay Diederichs http://strucbio.biologie.uni-konstanz.de email: [EMAIL PROTECTED] Tel +49 7531 88 4049 Fax 3183 Fachbereich Biologie, Universität Konstanz, Box M647, D-78457 Konstanz
smime.p7s
Description: S/MIME Cryptographic Signature
