I love IP Tables....

jdow jdow at earthlink.net
Fri May 25 20:09:11 UTC 2007 

From: "jdow" <jdow at earthlink.net>

>I craft my own firewall here using iptables.
>
> I have a favorite trick I learned from someone else a few years ago that I
> use to handle ssh security. Since ssh breaks every once and awhile and I
> like to leave it open it gets special security efforts.
>
> The trick is quite simple within iptables. If I get one connection failure
> I have to wait several seconds before making a retry. ("OK, Joanne, don't
> hyper ventillate. Just count to 10 and try again." {^_-})
>
> The common attack is a dictionary attack with several attempts a second.
> So of course, they get one shot to crack a password, usually for <snicker>
> root, which is dumb to begin with. After that first attempt they are
> blocked for the rest of their run.
>
> If they are canny enough to figure out "wait N seconds and then try again"
> they can dictionary attack me no more than about 43000 attempts per day if
> they cut back to one every couple seconds. If I do not have a dictionary
> word (or even a word) as a password, it is not 8 characters, and so forth
> how long would it take to guess "Fis8ottlemew" or something equally silly?
> The universe would grow cold, first.
>
> So good attack developers (bless them in a left handed sort of way) are
> smart enough not to attack for more than a minute or so, a few hundred
> pakets floating in the attack, before they quit. The bad ones run up to
> maybe 3000 or 4000 attempts to stop.
>
> Now, I have to wonder about the quality of education in Albania after
> last night. An Albanian cracker, or at least an idiot originating an
> attack from albtelecom.al (217.24.240.77) wasted three full hours and
> 36807 connection attempts to get ONE, exactly ONE, shot at cracking
> my system, the first attempt. All others were rejected and logged. I
> just gotta shake my head at the pathetic twit who created the software
> that made that attempt. At least my machine kept a whole lot of other
> machines from being attacked and I got a huge laugh about it. (And
> albtelecom.al finds its little block as one of my permanent blocks in
> the firewall, now. This is not the first attack from that /20 block!)
>
> I love IPTables.
>
> {^_-}    Joanne

People asked - here is the answer:
# Then setup the reject trap
$IPTABLES -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
  --rcheck --seconds 180 --hitcount 2 -j LOG --log-prefix 'SSH REJECT: '
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
  --rcheck --seconds 180 --hitcount 2 -j REJECT --reject-with tcp-reset


Adapt it to your configuration, of course.
{^_^}   (I probably should have included that in the first email for
        politeness. Please 'scuse me.)

More information about the users mailing list