brute force ssh attack

[jludwig]

On Saturday 07 May 2005 05:57 pm, Marko Vojinovic wrote:
> On Saturday 07 May 2005 02:09, P. Thompson wrote:
> > On Wed, 4 May 2005, Daniel B. Thurman wrote:
> > > Folks,
> > >
> > > Seems that I am getting daily brute-force ssl attacks --
> > > Anything I can or should do?
> >
> > I wrote a little script that adds an iptables rule to drop the attacking
> > ip address for an hour then remove the block.  An hour might be overkill,
> > but they never come back from the same address.
> >
> > It does not block on false users from IP ranges I normally come in from
> > so if I fat-finger my login I'm not screwed for an hour.
> >
> > I keep my sshd unblocked because I periodically ssh in from previously
> > unknown quarters and want that flexibility.
>
> Is there an easy way to manually block a specific IP? I would like to be
> able to block and unblock a couple of IPs when I seem fit, but since I am a
> begginer man iptables seems far too techy for me. Is there a recipe for
> this?
>
> Also, are you willing to share your script with us (I guess I could learn
> from it)?
>
> Best regards,
> Marko
>From the xterm, kterm, terminal, as root

1) iptables -I INPUT -s xxx.xxx.xxx.xxx/32 -j DROP # inserts the rule at the 
beginning. ( -A insted of -I places therule at the end and probably won't 
block the address since it most likely fit anouther rule.)

2) iptables -D INPUT -s xxx.xxx.xxx.xxx/32 -j DROP #removes the matching rule
( -R insted of -D replaces the rule.)

-I = insert
-A = append
-D = delete
-R = replace
see man iptables
-- 
John H Ludwig

Common sense is so rare, why do they call it common!!!

Manual customization of this file is not recommended, 
BUT WILL BE DONE!!!