On 30 December 2011 14:22, jdow <[email protected]> wrote: > On 2011/12/30 00:14, MT Julianto wrote: > >> Indeed, I found some traces of intruder trying to get root access via >> ssh, but >> none is succeeded. Now, I use fail2ban (available at atrpms) to handle >> them. >> > > I find zero to five tries a day. For some strange reason every try is from > a > different address. >
Exactly! I have a web server which still got thousands sshd attack per month, although fail2ban is installed with bantime = 1 hour :-( For the current machine, just before fail2ban is installed yesterday, I found about 500 tries in half hour from the same address. sshd attack is drastically drop after fail2ban is installed. > I have my own iptables script with lines like these in it: > $IPTABLES -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set > $IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \ > --rcheck --seconds 60 --hitcount 2 -j LOG --log-prefix 'SSH REJECT: ' \ > --log-level info > $IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \ > --rcheck --seconds 60 --hitcount 2 -j REJECT --reject-with tcp-reset > > The -m recent, -seconds 60, and --hitcount 2 phrases are the magic. Much of > that is so that I get the rejects logged, thanks to my sick curoisity. > Interesting! However, I don't know much about iptables. > This allows me to typo the password. All I have to do is wait a couple > minutes > between tries Is it the same as fail2ban with setting: maxretry=1 ? Regards, -Tito.
