Blocking SSH ... BUT...

Tony Nelson tonynelson at georgeanelson.com
Tue Sep 18 23:59:16 UTC 2007


At 11:53 AM -0600 9/18/07, Ashley M. Kirchner wrote:
>    Hey all,
>
>    I have the following lines in my iptables config file to curb ssh
>knocking on our servers:
>
># Let's see if we can curb SSH attacks.
>-A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
>
>-A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --rcheck
>--seconds 120 --hitcount 2 -j LOG  -log-prefix "SSH REJECT: "
>
>-A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --rcheck
>--seconds 120 --hitcount 2 -j REJECT --reject-with tcp-reset
>
>
>    This works great...EXCEPT it also blocks our own access to the
>servers if we need to get on them in a short amount of time (less than
>120 seconds).  So how can I still implement the above blocking, but
>allow anything from our different subnets (we have 4) come through
>without going through that block routine?

I use pam_recent, from <http://snafu.priv.at/mystuff/recent-plus-pam.html>
, to remove successful logins from the sshattack list.  As I have
additional delays for the persistent attacker, it's really important to
remove the successful logins.

My rules actually cover the range 21:22 to protect both FTP and SSH.  I use
ip_conntrack_ftp, set as an entry in the IPTABLES_MODULES line in
/etc/sysconfig/iptables-config.
-- 
____________________________________________________________________
TonyN.:'                       <mailto:tonynelson at georgeanelson.com>
      '                              <http://www.georgeanelson.com/>




More information about the users mailing list