Well, Michael and Alex beat me to it.
That's what I was going to say; use iptables. Though Alex's rules are
somewhat more complex than mine, I think mine do the same.
After setting up the chain, my salient rule is just;
-A INBOUND_FILTER -i eth0 -p tcp -m tcp --dport 22 -m limit --limit
2/minute --limit-burst 2 -m state --state NEW -j ACCEPT
------------------------------------------------------------------------
Kind Regards
Kyle
Alex Samad wrote:
On Fri, Oct 10, 2008 at 03:41:57PM +1100, Michael Chesterton wrote:
I use with great success an iptables rule to limit new ssh connections
to
2 or 3 a minute, brute forcers will get a few attempts, then timeout and
move
on.
thats what I have found as well.
for example the rules I am using now are
iptables -A INPUT -i <internet interface> -p tcp --dport 22 -j SSH
iptables -t filter -A SSH -m recent --set --name SSH
iptables -t filter -A SSH -m recent --name SSH ! --rcheck --seconds 300 --hitcount 4 -j RETURN
# Well, the NEW connection has been seen so let's update the SSH
# recent list.
iptables -t filter -A SSH -m recent --name SSH --update
# I like to log on a line by it's self so I don't have to remember
# to do it on my last line prior to the end of my script.
iptables -t filter -A SSH --jump ULOG $ULOG_OPTIONS --ulog-prefix "sydrt01
(SSH)"
iptables -t filter -A SSH -j DROP
--
http://chesterton.id.au/blog/
http://barrang.com.au/
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
