Iptables and sshd bruteforcing
Before adding firewall rules to limit number of ssh connection attempts:
beast:/home/ewan# zcat /var/log/auth.log.3.gz | grep -i invalid | wc -l
6874
After:
beast:/home/ewan# zcat /var/log/auth.log.2.gz | grep -i invalid | wc -l
3
beast:/home/ewan# zcat /var/log/auth.log.1.gz | grep -i invalid | wc -l
14
For the record, I disabled password-based logins, instead only allowing key-based logins, and used the following firewall rule:
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 600 --hitcount 2 -j DROP
If someone makes 3 connection attempts in 600 seconds, they get dropped, no response, which should (hopefully) slow down their scanner. Another option is to change the DROP to TARPIT, but I haven't had the time to try it.
beast:/home/ewan# zcat /var/log/auth.log.3.gz | grep -i invalid | wc -l
6874
After:
beast:/home/ewan# zcat /var/log/auth.log.2.gz | grep -i invalid | wc -l
3
beast:/home/ewan# zcat /var/log/auth.log.1.gz | grep -i invalid | wc -l
14
For the record, I disabled password-based logins, instead only allowing key-based logins, and used the following firewall rule:
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 600 --hitcount 2 -j DROP
If someone makes 3 connection attempts in 600 seconds, they get dropped, no response, which should (hopefully) slow down their scanner. Another option is to change the DROP to TARPIT, but I haven't had the time to try it.
Labels: bruteforce, iptables, ssh
posted by ultrahax at
5:06 PM
0 Comments:
Post a Comment
Links to this post:
Create a Link
<< Home