Re: SSH Bruteforce blocking script

[miah <miah () chia-pet org>]

Hi,

Logging is easy, just add the same rule but with a -j LOG --log-prefix
SSHBRUTE or whatever you want.

eg;
iptables -A INPUT -m hashlimit -m tcp -p tcp --dport 22 --hashlimit \
1/min --hashlimit-mode srcip --hashlimit-name ssh -m state \
--state NEW -j LOG --log-prefix SSHBRUTE

As for permantely adding hosts, why?  Poluting a firewall ruleset with a
rule that isn't going to be hit frequently is a waste.  Which is why the
hashlimit rule is perfect for this situation.

-miah


On Mon, Sep 05, 2005 at 11:50:54AM +0800, Michael L Benjamin wrote:
>  
> Thanks miah,
>
> I wasn't aware of this functionality in iptables. It doesn't offer the
> kind of permanency or logging that
> I might want, but it's a good suggestion nonetheless for other
> services/situations.
>
> Mike.
>
>
> -----Original Message-----
> From: full-disclosure-bounces () lists grok org uk
> [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of miah
> Sent: Friday, September 02, 2005 11:56 PM
> To: full-disclosure () lists grok org uk
> Subject: Re: [Full-disclosure] SSH Bruteforce blocking script
>
> If you're running iptables why not make use of hashlimit?  Once a limit
> is reached all connection attempts from that IP would be blocked until
> the hash entry expires.
>
> An example pulled from the web:
> iptables -A INPUT -m hashlimit -m tcp -p tcp --dport 22 --hashlimit \
> 1/min --hashlimit-mode srcip --hashlimit-name ssh -m state \ --state NEW
> -j ACCEPT
>
> https://www.redhat.com/archives/fedora-test-list/2005-August/msg00061.ht
> ml
> http://tinyurl.com/94fak
>
> Also, don't forget to man iptables or iptables -m hashlimit -h 
>
> -miah
>
> On Fri, Sep 02, 2005 at 07:33:02PM +0800, Michael L Benjamin wrote:
> > -----Original Message-----
> > From: full-disclosure-bounces () lists grok org uk
> > [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Pedro 
> > Hugo
> > Sent: Friday, 2 September 2005 05:53 PM
> > To: full-disclosure () lists grok org uk
> > Subject: Re: [Full-disclosure] SSH Bruteforce blocking script
> >
> > Hi,
> >
> > > I don't want to debate the goodness or badness of the strategy of 
> > > blocking hosts like this in /etc/hosts.deny. It works perfectly for 
> > > me, and most likely would for you, so no religious debates thanks. 
> > > It's effective at blocking bruteforce attacks. If a host EXCEEDS a 
> > > specified number of guesses during the (configurable) 30 seconds it 
> > > takes the script to cycle, the host is blacklisted.
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/