iptables for ssh brute force attacks

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • toddler
    Confirmed User
    • Jun 2002
    • 1911

    #1

    iptables for ssh brute force attacks

    Had a new client ask me to take a look at his machines today, found a nice number of brute force ssh attempts. Hopefully it'll help someone out:

    #!/bin/sh
    PATH=/sbin

    iptables -N sshthrottle
    iptables -A sshthrottle -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A sshthrottle -p TCP --syn -m limit --limit 3/minute --limit-burst 3 -j ACCEPT
    iptables -A sshthrottle -p TCP -j LOG --log-level "NOTICE" --log-prefix '[DROP:RATE_LIMIT] '
    iptables -A sshthrottle -p TCP -j REJECT
    iptables -I INPUT -p TCP -s 0/0 --dport 22 -j sshthrottle

    This sets up a rule that is triggered by more then 3 hits to ssh port by same source IP in one minute, then activates the sshthrottle rule which rejects the packets after that and logs them with the '[DROP:RATE_LIMIT]' tag



    Dig it out of your syslog/messages later with this:

    cat $file | sed -e 's/SRC=//g' | sort | uniq -c | sort -n
    grep RATE_LIMIT firewall | awk '{print $10}' | sed -e 's/SRC=//g' | sort | uniq -c | sort -n
    http://www.flickr.com/photos/zoddler/
  • grumpy
    Too lazy to set a custom title
    • Jan 2002
    • 9870

    #2
    isnt that a bit low, three in a minute? shoudnt that be 3 in one second?
    Don't let greediness blur your vision | You gotta let some shit slide
    icq - 441-456-888

    Comment

    Working...