Rich Shepard wrote: > On Wed, 6 May 2009, chris (fool) mccraw wrote: > >> i rolled this out after i got tired of playing whack-a-mole and to my >> delight discovered that no scanner in the past 8 months (since i rolled it >> out) continues to scan more than a handful of times after the connection >> is refused. > > On the advice of many, I installed denyhosts here and it works like a > charm. However, I still see dozens to hundreds of attempts from the same IP > address to ssh in and even more trying brute force attacks to find a valid > username.
From my /etc/sysconfig/iptables file. (CentOS 5.3 systems) ... #+# 20090120raa - Handle brute force assaults. -N SSH_WHITELIST # You can put in as many of these as you like replacing $IP_TO_WHITELIST # with a valid IP -A SSH_WHITELIST -s $IP_TO_WHITELIST -m recent --remove --name SSH -j ACCEPT -A RH-Firewall-1-INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -A RH-Firewall-1-INPUT -p tcp --dport 22 -m state --state NEW -j SSH_WHITELIST -A RH-Firewall-1-INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force " -A RH-Firewall-1-INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP ### ... Email line breaks are yours to have and hold ... figure out. :-) This cut my logwatch from having several hundred to several thousands a day to less than 10. \\||/ Rod -- > Between the NetGear firewall appliance and denyhosts they've all been kept > out. > > Rich > _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
