iptables and ssh
Rainer Traut
tr.ml at gmx.de
Tue Jun 13 11:31:18 UTC 2006
Hi,
jdow schrieb:
>> sth like this?
>> this is from my iptables script, you have to adjust the variables.
>>
>> $ipt -A INPUT -m state --state NEW -p tcp --dport 22 -m recent --name
>> SSH --update --seconds 60 --hitcount 4 -j LOG_DROP
>>
>> $ipt -A INPUT -m state --state NEW -p tcp --dport 22 -m recent --name
>> SSH --set
>>
>> Rainer
>
> I do it a little more thoroughly - I log the attempts after timeouts.
>
> # Then setup the reject trap.
> $IPTABLES -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
> $IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
> --rcheck --seconds 120 --hitcount 3 -j LOG --log-prefix 'SSH REJECT: '
> $IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
> --rcheck --seconds 120 --hitcount 3 -j REJECT --reject-with tcp-reset
>
hmm, I'm logging them, too.
But you're rejecting them and that is more convenient for the attacker,
isn't it?
This way he doesn't have half open tcp connections which sooner or later
hurt him.
Rainer
More information about the fedora-list
mailing list