Catalin Catana wrote:
Salut,
Vreau sa filtrez cu iptables in mod automat ip-urle de la care se
scaneaza/incearca user/pass pe ssh (eventual si pentru alte servicii,
dar in mod deosebit pentru ssh).
Problema mea e ca aceste atacuri dureaza cateva ore in sir .. si imi
genereaza o incarcare inutila pe server ... daca le filtrez cu
iptables si DROP ... incarcarea dispare.
# Let's jump to the SSH_Brute_Force chain if this is a new connection
that is not from my IP address.
# This will prevent processing these rules for non SSH traffic.
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -s !
$MYIPADDRESS -j SSH_Brute_Force
# Let's white list some IP addresses.
iptables -A SSH_Brute_Force -s $My_IP_Address -j RETURN
iptables -A SSH_Brute_Force -s $My_Friends_IP_Address -j RETURN
iptables -A SSH_Brute_Force -s $Any_other_IP_that_I_want_to_white list
-j RETURN
# If there have not been 4 NEW connection attempts from this source IP
address in the last 60 seconds let's return to the INPUT chain.
iptables -A SSH_Brute_Force -m recent --name SSH ! --rcheck --seconds 60
-m recent --hitcount 4 --set --name SSH -j RETURN
# Well, the NEW connection has been seen so let's update the SSH recent
list.
iptables -A SSH_Brute_Force -m recent --name SSH --update
# I like to log on a line by it's self so I don't have to remember to do
it on my last line prior to the end of my script.
iptables -A SSH_Brute_Force -j LOG --log-prefix "SSH Brute Force Attempt: "
# Let's send the person that is trying to SSH in to us to the TARPIT
target and make them think twice before they try again.
# TARPIT will force the site that is SSHing in to us to timeout the
connection. Sure stick you hand in my port, I'll grab hold of it and
not let go,
# you will have to chew your arm off and grow a new one and try again.
I'll hold your new arm again and again and again and... This should
slow you down.
iptables -A SSH_Brute_Force -j TARPIT
--
"A computer will not make a good manager out of a bad manager.
It makes a good manager better faster and a bad manager worse faster."
Ed Esber, president, Ashton-Tate, 1986
_______________________________________________
RLUG mailing list
[email protected]
http://lists.lug.ro/mailman/listinfo/rlug
