SSH and login attack
Mike Pepe
lamune at doki-doki.net
Sat Jun 18 12:27:18 UTC 2005
Thomas Cameron wrote:
>
> These attacks appear to me to fire multiple concurrent connections to
> get around the delay.
>
> Thomas
>
Possibly. I found a script out there and modified it a bit, this will
block the attacker after opening up 3 concurrent connections in 60 seconds:
modprobe ipt_recent ip_list_tot=200
IPADDR=67.110.180.110
$IPT -A INPUT -i $IF -p tcp \
-d $IPADDR --dport 22 -m state --state NEW -m recent --rcheck \
--hitcount 3 --seconds 60 --name SSH_PROBERS \
-j LOG --log-prefix "Adaptive-FW SSH Prober: "
$IPT -A INPUT -i $IF -p tcp \
-d $IPADDR --dport 22 -m state --state NEW -m recent \
--update --hitcount 3 --seconds 60 --name SSH_PROBERS \
-j DROP
$IPT -A INPUT -i $IF -p tcp \
-d $IPADDR --dport 22 -m state --state NEW -m recent \
--set --name SSH_PROBERS -j ACCEPT
So far this is working for me, it has a few drawbacks but seems simple
enough for now.
More information about the fedora-test-list
mailing list