On 03/17/2010 11:24 PM, Michał Piotrowski wrote:
2010/3/17 Eric Sandeen<sandeen(a)redhat.com>:
> Michał Piotrowski wrote:
>> Hi,
>>
>> I recetly had 30 hours of ssh brute force attack on my system. I'm
>> using strong passwords, but still can be geneated from /dev/random, so
>> I switched to rsa authentication. What's your favourite way to deal
>> with such attacks? Please describe pros and cons.
>>
>> Regards,
>> Michal
>
> Aside from not allowing password logins, I throttle them, they usually
> get tired and go away to an easier target.
>
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -m limit --limit
1/minute --limit-burst 2 -j ACCEPT
If I understand correctly - this limits ssh connections to two
connections per minute. I tried it before on my devel server without
success. I tried it now with your configuration also without success.
I used
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -m limit
--limit 2/minute --limit-burst 2 -j ACCEPT
and I still can connect to ssh as many times as I want.
This needs to be followed by:
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j DROP
That way as long as you stay within the limiting conditions you get
ACCEPTed by the first rule but if you make more ssh attempts the limit rule
no longer applies and you get DROPed instead.
Regards,
Dennis