Blocking SSH ... BUT...
Rick Stevens
rstevens at internap.com
Tue Sep 18 21:34:49 UTC 2007
On Tue, 2007-09-18 at 11:53 -0600, Ashley M. Kirchner wrote:
> Hey all,
>
> I have the following lines in my iptables config file to curb ssh
> knocking on our servers:
>
> # Let's see if we can curb SSH attacks.
> -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
>
> -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --rcheck
> --seconds 120 --hitcount 2 -j LOG -log-prefix "SSH REJECT: "
>
> -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --rcheck
> --seconds 120 --hitcount 2 -j REJECT --reject-with tcp-reset
>
>
> This works great...EXCEPT it also blocks our own access to the
> servers if we need to get on them in a short amount of time (less than
> 120 seconds). So how can I still implement the above blocking, but
> allow anything from our different subnets (we have 4) come through
> without going through that block routine?
The easiest way would be to add a line for each subnet you want to allow
ABOVE the code above:
-A INPUT -p tcp --sync --dport 22 -s www.xxx.yyy.zzz/aa -j ACCEPT
replacing "www.xxx.yyy.zzz/aa" with each subnet/mask you want to allow.
This would instantly allow ssh access from your network(s) before those
attempts hit the blocking code. That's what we do.
----------------------------------------------------------------------
- Rick Stevens, Principal Engineer rstevens at internap.com -
- CDN Systems, Internap, Inc. http://www.internap.com -
- -
- Working with Linux is like wrestling with a worthy opponent. -
- Working with Windows is like picking on an annoyed child with a -
- loaded handgun. -
----------------------------------------------------------------------
More information about the users
mailing list