On Fri, 2007-09-14 at 07:43 +0200, Gregory Machin wrote:
> If you must leave ssh open to the outside world, use a simple
iptables
> ruleset to limit attempts:
>
> # This rejects ssh attempts more than twice in 180 seconds...
> # First, mark attempts as part of the "sshattack" group...
> -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
> # Optional: Include this line if you want to log these attacks...
> -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --rcheck
> --seconds 180 --hitcount 2 -j LOG --log-prefix "SSH REJECT: "
> # Finally, reject the connection if more than one attempt is made in 180
> seconds...
> -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --rcheck
> --seconds 180 --hitcount 2 -j REJECT --reject-with tcp-reset
>
> If more than one ssh attempt is made in 180 seconds (three minutes)
> from a given IP address, this blocks that IP address for that duration.
> You get one try. If you fail, you must wait 3 minutes before you can
> try again.
>
> Note that even a successful login is counted. If you log in and
> immediately log out, you still have to wait 3 minutes to get in again.
>
> Change the "--hitcount 2" bits to "--hitcount 3" if you want to
give
> yourself two tries to get in. You can also change the "--seconds 180"
> to "--seconds 300" to make the delay 5 minutes. The values I give above
> are enough to discourage most script kiddie attempts to get into your
> box.
Hi
Sorry to hijack this tread. The above should it be before, or after
you allow the ssh port ?
Before. You want packets NOT rejected by that bit to fall through to
other rules for further processing.
----------------------------------------------------------------------
- Rick Stevens, Principal Engineer rstevens(a)internap.com -
- CDN Systems, Internap, Inc.
http://www.internap.com -
- -
- Change is inevitable, except from a vending machine. -
----------------------------------------------------------------------