brute force ssh attack
jludwig
wralphie at comcast.net
Sat May 7 23:21:16 UTC 2005
On Saturday 07 May 2005 05:57 pm, Marko Vojinovic wrote:
> On Saturday 07 May 2005 02:09, P. Thompson wrote:
> > On Wed, 4 May 2005, Daniel B. Thurman wrote:
> > > Folks,
> > >
> > > Seems that I am getting daily brute-force ssl attacks --
> > > Anything I can or should do?
> >
> > I wrote a little script that adds an iptables rule to drop the attacking
> > ip address for an hour then remove the block. An hour might be overkill,
> > but they never come back from the same address.
> >
> > It does not block on false users from IP ranges I normally come in from
> > so if I fat-finger my login I'm not screwed for an hour.
> >
> > I keep my sshd unblocked because I periodically ssh in from previously
> > unknown quarters and want that flexibility.
>
> Is there an easy way to manually block a specific IP? I would like to be
> able to block and unblock a couple of IPs when I seem fit, but since I am a
> begginer man iptables seems far too techy for me. Is there a recipe for
> this?
>
> Also, are you willing to share your script with us (I guess I could learn
> from it)?
>
> Best regards,
> Marko
>From the xterm, kterm, terminal, as root
1) iptables -I INPUT -s xxx.xxx.xxx.xxx/32 -j DROP # inserts the rule at the
beginning. ( -A insted of -I places therule at the end and probably won't
block the address since it most likely fit anouther rule.)
2) iptables -D INPUT -s xxx.xxx.xxx.xxx/32 -j DROP #removes the matching rule
( -R insted of -D replaces the rule.)
-I = insert
-A = append
-D = delete
-R = replace
see man iptables
--
John H Ludwig
Common sense is so rare, why do they call it common!!!
Manual customization of this file is not recommended,
BUT WILL BE DONE!!!
More information about the users
mailing list