Re: [Devil-Linux-discuss] Bugreport for 1.2.13: /usr/lib/iptables/libipt_recent.so is still missing

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

> I'm not commenting on the problem here, but a possible enhancement for 
> the default firewall script of DL.  See below:
> 
> # Rate limit ssh connection attempts to 3 per 5 minutes per IP.
> iptables -A INPUT -p tcp --dport 22 -i eth0 -m state \
>    --state NEW -m recent --set
> iptables -A INPUT -p tcp --dport 22 -i eth0 -m state \
>    --state NEW -m recent --update --seconds 300 --hitcount 3 -j DROP
> 
> This one does not create an additional queue like most other solutions 
> for this common problem.  I've found these 2 lines at the end of 
> firewall script to be rather effective, yet problemless.
> 
> No more brute-force-attack-trash in ssh log files.  You might want to 
> increase 300 seconds to 1800 for 30 minutes.

I've done similar things in some of my firewall scripts to combat the
brute-force ssh attacks.

The main problem occurs if you do a lot of scp's.  Each scp initiates a
new ssh connection, and you end up locking yourself out for the time
period.

The best way I've found to harden ssh against the brute-force attacks is
to have ssh listen on a high/non-standard port number, and do not allow
password authentication (ssh keys only).  

I've never had a brute force attacker find one of my non-standard ssh
ports, and even if they did, they could never login because they are
trying passwords (which I don't allow).

A better solution (IMO) would be a modification to openssh so it shuts
down an IP for a [configurable] period of time, after a [configurable]
number of bad authentication attempts.  I even suggested that to one of
the openssh developers I once had a small email thread with.

 - BS