Full Disclosure mailing list archives
Re: SSH Bruteforce blocking script
From: miah <miah () chia-pet org>
Date: Tue, 6 Sep 2005 10:53:52 -0400
Hi, Logging is easy, just add the same rule but with a -j LOG --log-prefix SSHBRUTE or whatever you want. eg; iptables -A INPUT -m hashlimit -m tcp -p tcp --dport 22 --hashlimit \ 1/min --hashlimit-mode srcip --hashlimit-name ssh -m state \ --state NEW -j LOG --log-prefix SSHBRUTE As for permantely adding hosts, why? Poluting a firewall ruleset with a rule that isn't going to be hit frequently is a waste. Which is why the hashlimit rule is perfect for this situation. -miah On Mon, Sep 05, 2005 at 11:50:54AM +0800, Michael L Benjamin wrote:
Thanks miah, I wasn't aware of this functionality in iptables. It doesn't offer the kind of permanency or logging that I might want, but it's a good suggestion nonetheless for other services/situations. Mike. -----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of miah Sent: Friday, September 02, 2005 11:56 PM To: full-disclosure () lists grok org uk Subject: Re: [Full-disclosure] SSH Bruteforce blocking script If you're running iptables why not make use of hashlimit? Once a limit is reached all connection attempts from that IP would be blocked until the hash entry expires. An example pulled from the web: iptables -A INPUT -m hashlimit -m tcp -p tcp --dport 22 --hashlimit \ 1/min --hashlimit-mode srcip --hashlimit-name ssh -m state \ --state NEW -j ACCEPT https://www.redhat.com/archives/fedora-test-list/2005-August/msg00061.ht ml http://tinyurl.com/94fak Also, don't forget to man iptables or iptables -m hashlimit -h -miah On Fri, Sep 02, 2005 at 07:33:02PM +0800, Michael L Benjamin wrote:-----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Pedro Hugo Sent: Friday, 2 September 2005 05:53 PM To: full-disclosure () lists grok org uk Subject: Re: [Full-disclosure] SSH Bruteforce blocking script Hi,I don't want to debate the goodness or badness of the strategy of blocking hosts like this in /etc/hosts.deny. It works perfectly for me, and most likely would for you, so no religious debates thanks. It's effective at blocking bruteforce attacks. If a host EXCEEDS a specified number of guesses during the (configurable) 30 seconds it takes the script to cycle, the host is blacklisted._______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: SSH Bruteforce blocking script, (continued)
- Re: SSH Bruteforce blocking script Christoph Moench-Tegeder (Sep 02)
- Re: SSH Bruteforce blocking script Gerald Holl (Sep 03)
- RE: SSH Bruteforce blocking script Michael L Benjamin (Sep 02)
- RE: SSH Bruteforce blocking script Michael L Benjamin (Sep 02)
- RE: SSH Bruteforce blocking script Michael L Benjamin (Sep 02)
- Re: SSH Bruteforce blocking script Christoph Moench-Tegeder (Sep 02)
- Re: SSH Bruteforce blocking script Pedro Hugo (Sep 02)
- RE: SSH Bruteforce blocking script Michael L Benjamin (Sep 02)
- Re: SSH Bruteforce blocking script miah (Sep 02)
- RE: SSH Bruteforce blocking script Michael L Benjamin (Sep 04)
- Re: SSH Bruteforce blocking script miah (Sep 06)
- RE: SSH Bruteforce blocking script Ron DuFresne (Sep 06)
- FW: SSH Bruteforce blocking script Michael L Benjamin (Sep 04)
- FW: SSH Bruteforce blocking script Michael L Benjamin (Sep 04)
- Re: FW: SSH Bruteforce blocking script Valdis . Kletnieks (Sep 04)