ssh security
Will Partain
will.partain at verilab.com
Tue Dec 27 09:19:55 UTC 2005
"jdow" <jdow at earthlink.net> writes:
> I have found, however, that a simple three line iptables addition seems
> to work like a champ, except for filling up the log.
>
> ===8<---
> iptables -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
> iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
> --rcheck --seconds 120 --hitcount 3 -j LOG --log-prefix 'SSH REJECT: '
> $iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
> --rcheck --seconds 120 --hitcount 3 -j REJECT --reject-with tcp-reset
> ===8<---
This is indeed a lovely approach, but has a drawback: it can't tell
the difference between many legit SSH connections and many bogus ones.
For example, if you are getting at a Subversion repository with
'svn+ssh://host/repo-stuff', then whole bunches of ssh connections
will be made in rapid succession. You can always up the hitcount, but
that's just a method waiting to fail (e.g. what if SVN does something
unexpected that needs _lots_ of ssh connections).
Just FYI.
Will
More information about the users
mailing list