ssh security
Jeff Vian
jvian10 at charter.net
Thu Dec 29 14:02:21 UTC 2005
On Mon, 2005-12-26 at 17:56 -0800, jdow wrote:
> From: "Christian Motta" <chris at agweb.net>
>
> >I wrote this script to thwart the brute force ssh hackers. It isn't the
> > most efficient but it works. it blocks their ip using iptables. I run it
> > every min via cron
> >
> >
> >
> > #!/usr/bin/perl
>
> Thanks for the nice script Chris. I may add that to deepen my defenses.
>
> I have found, however, that a simple three line iptables addition seems
> to work like a champ, except for filling up the log.
>
A nice dynamic iptables tool to monitor sshd and block attacks is
sshdfilter.
http://www.csc.liv.ac.uk/~greg/sshdfilter/
I use it on several servers and it works really well to detect and block
attacks.
With it an attempt to login with an unknown account gets instantly
blocked, and with a known account (root or some other user) they only
get 6 attempts before it is blocked. Most of the attacks on my systems
don't even get 2 attempts before they are blocked. I don't have root
enabled for remote access so there is no worry there.
To avoid an enormous long iptables rule list the blocked addresses are
unblocked after 3 days.
> ===8<---
> iptables -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
> iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
> --rcheck --seconds 120 --hitcount 3 -j LOG --log-prefix 'SSH REJECT: '
> $iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
> --rcheck --seconds 120 --hitcount 3 -j REJECT --reject-with tcp-reset
> ===8<---
>
> I've been taking to looking at where large numbers of rejected connections
> come from and have been adding them to the firewall manually. Your script
> can probably be adapted.
>
> (It is amusing how long idiots will keep trying. I had a twit from India
> trying nearly 10,000 times today before I finally blocked him. He got two
> chances in that entire set to actually try to guess a password. He made
> two runs. And right at the start of the two runs he tried and got the
> predictable password failure. After that for an hour or more at a stretch
> he simply pounded that reject rule never getting into the system at all.
> Poor baby. It did prompt me to simply add blanket blocks for much of the
> APNIC space that's allocated to Asian countries I never expect to visit.
> It makes life easier.)
>
> {^_-}
>
More information about the fedora-list
mailing list