[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: SSH and login attack





Thomas Cameron wrote:

These attacks appear to me to fire multiple concurrent connections to get around the delay.

Thomas


Possibly. I found a script out there and modified it a bit, this will block the attacker after opening up 3 concurrent connections in 60 seconds:


modprobe ipt_recent ip_list_tot=200

IPADDR=67.110.180.110

$IPT -A INPUT -i $IF -p tcp \
        -d $IPADDR --dport 22 -m state --state NEW -m recent --rcheck \
        --hitcount 3 --seconds 60 --name SSH_PROBERS \
        -j LOG --log-prefix "Adaptive-FW SSH Prober: "

$IPT -A INPUT -i $IF -p tcp \
        -d $IPADDR --dport 22 -m state --state NEW -m recent \
        --update --hitcount 3 --seconds 60 --name SSH_PROBERS \
        -j DROP

$IPT -A INPUT -i $IF -p tcp \
        -d $IPADDR --dport 22 -m state --state NEW -m recent \
        --set --name SSH_PROBERS -j ACCEPT

So far this is working for me, it has a few drawbacks but seems simple enough for now.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]