Questions concerning Security Log
Dotan Cohen
dotancohen at gmail.com
Fri Apr 8 18:04:07 UTC 2005
On Apr 8, 2005 7:28 PM, Brian Gaynor <briang at pmccorp.com> wrote:
> On Fri, 2005-04-08 at 10:36 +0300, Dotan Cohen wrote:
>
> > I see that the attacker is comming from multiple IP's. Although I
> > currently do not ssh into this comupter, I would like to leave that
> > option open. Acually, I would like to set that up as soon as possible.
> > What should I block if I am being attacked by several IP's, but I do
> > not want to block ssh altogether?
> >
>
> You can also configure IPTABLES to look for failed attempts to log on
> and block the IP temporarily (say for 5 minutes) after a number of
> failed logon attempts (say 5 within 60 seconds). That's what we do and
> it reduces the log noise and limits the attacks. Here's what I use in
> IPTABLES (I'm sure members of this list could improve on this - also
> code may wrap):
>
> #!/bin/sh
> # Modprobe the extra modules we need
> modprobe ipt_recent
> modprobe ip_conntrack
>
> # Remove any old rules
> iptables -F
> iptables -X
> iptables -Z
>
> # Some variables - REPLACE WITH YOUR IP
> IFACE="eth0"
> IPADDR="192.168.1.1"
>
> # Kill ssh hackers - watch for more than 5 connection attempts in under
> # 60 seconds and reject for 5 minutes
> iptables -N SSH-EVIL
> iptables -A SSH-EVIL -m recent --name badSSH --set -j LOG --log-level
> DEBUG --log-prefix "evil SSH user: "
> iptables -A SSH-EVIL -j REJECT
>
> iptables -N SSH
> iptables -A SSH -p tcp ! --syn -m state --state ESTABLISHED,RELATED -j
> ACCEPT
> iptables -A SSH -p tcp --syn -m recent --name badSSH --rcheck --seconds
> 300 -j REJECT
> iptables -A SSH -p tcp --syn -m recent --name sshconn --rcheck --seconds
> 60 --hitcount 5 -j SSH-EVIL
> iptables -A SSH -p tcp --syn -m recent --name sshconn --set
> iptables -A SSH -p tcp --syn -j ACCEPT
>
> # Allow unlimited traffic on the loopback interface
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT
>
> # Send ssh down our user-defined chain, allow ftp ...
> iptables -A INPUT -i $IFACE -p tcp --dport 21 -j ACCEPT
> iptables -A INPUT -i $IFACE -p tcp --dport 22 -j SSH
>
> ... rest of IPTABLES rules
>
> --
> Brian Gaynor
> FC3/Linux on DELL Inspiron 5160 3.0Ghz
> canis 09:23:07 up 52 min, 2
> users, load average: 0.15, 0.15,
>
>
This is really nice. When I set up ssh again, and iptables, I will
certainly use this. Thank you very much!
Dotan Cohen
http://Song-Lirics.com/
http://Song-Liriks.com/
More information about the users
mailing list