On Apr 12, 2006, at 9:51 AM, Chris Carey wrote:
On 4/12/06, Blake B. <[EMAIL PROTECTED]> wrote:
I agree with that completely. But I like simplicity. I just use
rate-limiting, I get maybe 2 or 3 attempts at SSH on port 22 a day.
With this method they give up very quickly.
sudo iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW
-m recent --set
sudo iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW
-m recent --update --seconds 60 --hitcount 4 -j DROP
Anything that hits port 22 more than 4 times within 60 seconds gets
blocked. This is obviously vulnerable to throttling the attacks, but
it's always automated, and they're usually only interested in the
low-
hanging fruit.
-Blake
This is cool. Is the rate-limiting on port 22 only blocking the IP of
the offending connection? *or* does it block port 22 for *everyone* if
there are too many incoming connections?
Only the offending IP. You can also use the "limit" module to do
complete limiting without a blacklist (excerpt from http://
www.penguinsecurity.net/pensec/modules.php?
name=News&file=article&sid=171):
One obvious application of rate limiting on incoming traffic is to
block ping flooding. We can obviously block ping floods with a rule
blocking incoming echo-request ICMP packets altogether, but this is
inelegant; this is linux, remember? What we want to do, rather, is to
allow such packets but only in small quantities. Have a look at the
relevant rule:
iptables -A INPUT -p ICMP -icmp-type echo-request $backslash$
-m limit -limit 1/minute -limit-burst 5 -j ACCEPT
-Blake
/*
PLUG: http://plug.org, #utah on irc.freenode.net
Unsubscribe: http://plug.org/mailman/options/plug
Don't fear the penguin.
*/
