Hi,
Am Sonntag, 07. Okt 2007, 10:40:10 +0100 schrieb Mick:
> Can you please advise what I could do to block IP addresses that have
> repeatedly failed to log in? I am looking here at a server which over the
> last week is being attacked daily with random usernames. So the only
> constant in these repeated attempts is not the username, but the IP address.
> Occasionally, the odd service name (e.g. rpc, mysql, postgres, etc.) repeats
> itself, otherwise they seem to be randomly selected from a dictionary.
This is a _real_ nuisance. Besides that I doubt there is any
meaningful harvest.
> I have already disabled PAM authentication on sshd so that only users with a
> public key in their ~/.ssh can login.
Host-based authentication is one possible solution. Fail2ban
was already mentioned, too.
A bit more difficult is the ban by iptables. This one is
working here successfully for quite some time:
SSH_WHITELIST="192.168.0.0/16 11.22.33.44"
IPT='/sbin/iptables -v'
iptsshdefence()
{
$IPT -N sshwhite
for t in $SSH_WHITELIST
do
$IPT -A sshwhite -s $t -m recent --remove --name SSH -j ACCEPT
done
# $IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j LOG
--log-prefix 'SSH request '
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
--name SSH
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j sshwhite
# $IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update
--seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix 'SSH
brute_force '
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update
--seconds 60 --hitcount 4 --rttl --name SSH -j REJECT
}
Of course you need a kernel with recent module and reject
target support compiled in.
Thanks a lot again to this list!
Bertram
--
Bertram Scharpf
Stuttgart, Deutschland/Germany
http://www.bertram-scharpf.de
--
[EMAIL PROTECTED] mailing list
