your favourite method of dealing with ssh brute force attacks
Dennis J.
dennisml at conversis.de
Fri Mar 19 01:57:09 UTC 2010
On 03/17/2010 11:24 PM, Michał Piotrowski wrote:
> 2010/3/17 Eric Sandeen<sandeen at redhat.com>:
>> Michał Piotrowski wrote:
>>> Hi,
>>>
>>> I recetly had 30 hours of ssh brute force attack on my system. I'm
>>> using strong passwords, but still can be geneated from /dev/random, so
>>> I switched to rsa authentication. What's your favourite way to deal
>>> with such attacks? Please describe pros and cons.
>>>
>>> Regards,
>>> Michal
>>
>> Aside from not allowing password logins, I throttle them, they usually
>> get tired and go away to an easier target.
>>
>> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -m limit --limit 1/minute --limit-burst 2 -j ACCEPT
>
> If I understand correctly - this limits ssh connections to two
> connections per minute. I tried it before on my devel server without
> success. I tried it now with your configuration also without success.
>
> I used
> -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -m limit
> --limit 2/minute --limit-burst 2 -j ACCEPT
> and I still can connect to ssh as many times as I want.
This needs to be followed by:
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j DROP
That way as long as you stay within the limiting conditions you get
ACCEPTed by the first rule but if you make more ssh attempts the limit rule
no longer applies and you get DROPed instead.
Regards,
Dennis
More information about the devel
mailing list