Paul Cartwright wrote:
On Wed January 28 2009, Kevin Philp wrote:
Even easier and better add the following to your iptables firewall. This
monitors your connections to the ssh port and drops the connection if
they try more than 4 connections in 10 minutes. I have been using this
for a while - works a treat.
references at :
http://www.la-samhna.de/library/brutessh.html
http://www.ducea.com/2006/06/28/using-iptables-to-block-brute-force-attacks
/
/sbin/iptables -A ssh-connection -i $EXT -p tcp --dport 22 -m recent
--update --seconds 600 --hitcount 4 --rttl --name SSH -j LOG
--log-prefix "SSH_brute_force "
# /sbin/iptables -A ssh-connection -i $EXT -p tcp --dport 22 -m
recent --update --seconds 600 --hitcount 4 --rttl --name SSH -j
LOG --log-prefix "SSH_brute_force "
Bad argument `tcp'
Try `iptables -h' or 'iptables --help' for more information.
Sorry wasn't clear - this was cut from our firewall script - Here is a a
longer section. It should work and give you what you need.
#!/bin/bash
###### Variables #####################################
INT=eth0
EXT=eth1
IPTABLES=/sbin/iptables
###### Flush old rules ################################
$IPTABLES -F
$IPTABLES -X
###### Set defaults ################################
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT
###### Modified SSH brute force blocker with anti spoofing ##########
$IPTABLES -N ssh-connection
$IPTABLES -F ssh-connection
$IPTABLES -A ssh-connection -i $EXT -p tcp --dport 22 -m recent --update
--seconds 600 --hitcount 4 --rttl --name SSH -j LOG --log-prefix
"SSH_brute_force "
$IPTABLES -A ssh-connection -i $EXT -p tcp --dport 22 -m recent --update
--seconds 600 --hitcount 4 --rttl --name SSH -j DROP
$IPTABLES -A ssh-connection -p tcp --dport 22 -m state --state NEW -m
recent --set --name SSH -j ACCEPT
###### Set local access on INT only ###################
$IPTABLES -N internal-connection
$IPTABLES -F internal-connection
$IPTABLES -A internal-connection -s 127.0.0.1 -i ! $EXT -j ACCEPT
$IPTABLES -A internal-connection -s 192.168.100.0/255.255.255.0 -i !
$EXT -j ACCEPT
###### Set access to related connections ###############
$IPTABLES -N allowed-connection
$IPTABLES -F allowed-connection
$IPTABLES -A allowed-connection -p tcp -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed-connection -p udp -m state --state
ESTABLISHED,RELATED -j ACCEPT
####### Jump INPUT to filter chains
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -j allowed-connection
$IPTABLES -A INPUT -j internal-connection
$IPTABLES -A INPUT -j ssh-connection
###### Jump FORWARD to filter chains
$IPTABLES -A FORWARD -o lo -j ACCEPT
$IPTABLES -A FORWARD -j allowed-connection
$IPTABLES -A FORWARD -j internal-connection
$IPTABLES -A FORWARD -j ssh-connection
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
