Re: [Shorewall-users] Integrating with sshguard

Sat, 20 Apr 2013 08:33:38 -0700 

On 04/19/2013 09:05 PM, Roberto C. Sánchez wrote:
> On Fri, Apr 19, 2013 at 02:13:46PM -0700, Fred Maillou wrote:
>>    Hello,
>>      sshguard detects brute force attacks and blocks IPs according to a
>>    certain algorithm.  For it to work it needs a rule:
>>    iptables -N sshguard
>>    iptables -A INPUT -j sshguard
>>      And so in Shorewall's started.d/ I created a file and added;
>>    #!/bin/bash
>>    iptables -N sshguard
>>    iptables -I INPUT 1 -j sshguard
>>    Which makes this rule the first one, after which the Shorewall rules are
>>    defined.
>>    Is this the right way to add such a rule ?  When a packet enters it will
>>    go to sshguard.  If the packet is not concerned by any rule in there, will
>>    it go back to the first Shorewall INPUT rule ?
>>    Thanks for suggestions/comments !
> 
> Tom already noted that that there is no started.d/ directory for
> Shorewall.  However, I will add that the "right" solution is to disable
> password login for ssh, and allow only key-based authentication.  That
> makes it effectively impossible for a brute force attack to succeed.

We also recommend using the RATE LIMIT column on ssh ACCEPT rules to
limit the number of attempts allowed from a given IP address. I
personally use this rule:

        ACCEPT net all tcp 22 - - s:ssh:1/min:3

That allows up to three attempts in a minute; if the three fail, then
only one attempt per minute is allowed.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to