Rich Shepard wrote: > Not long ago there was a thread on cracking attempts via ssh. Several > commenters reported that the perpetrators gave up after a few tries. My > experience is that every day a variable number of potential crackers bang on > the system via sshd, but most of them must use script automation because > most just keep trying. They're all rejected, but the number of attempts can > be impressive.
And I'll recommend this iptables recipe again. (CentOS 5.3 system - /etc/sysconfig/iptables -- therefore Redhat, Fedora, SciLinux, Whitebox should be similar. You'll have to figure it out for if you're using something else.) #+# Handle brute force assaults. -N SSH_WHITELIST -A SSH_WHITELIST -s 192.168.42.42 -m recent --remove --name SSH -j ACCEPT -A RH-Firewall-1-INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -A RH-Firewall-1-INPUT -p tcp --dport 22 -m state --state NEW -j SSH_WHITELIST -A RH-Firewall-1-INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force " -A RH-Firewall-1-INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP ### #+# -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT At the most I see three of four attempts from an IP/host/system. They seem to give up after getting dropped connections for 60 seconds. Once, I seem to remember, seeing more attempts but I assume they came back again. Substitute your favorite IP for the 192.168.42.42 and add more similar lines for others that you don't want to get caught if their ssh client (or fingers) get too energetic and make three tries in less than a minute. (Watch out for the odd line breaks if you copy/paste.) \\||/ Rod -- > > Here's today's logwatch summary for yesterday's attempts: > > --------------------- SSHD Begin ------------------------ > > Failed logins from: > 83.14.99.10 (sig.com.pl): 10 times > 88.191.77.63 (sd-14397.dedibox.fr): 66 times > > Illegal users from: > 83.14.99.10 (sig.com.pl): 1 time > 88.191.77.63 (sd-14397.dedibox.fr): 3742 times > > Locked account login attempts: > postfix : 5 Time(s) > > ---------------------- SSHD End ------------------------- > > The ratio of failed logins to illegal users varies, but both numbers can > be quite high. > > Thought I'd share with you because I don't understand why folks will try > to log in as postfix or another service. > > Rich > _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
