Menu
▾
▴
Re: [Devil-Linux-discuss] =?iso-8859-1?q?Bugreport_for=091=2E2=2E13?= =?iso-8859-1?q?=3A=09/usr/lib/iptables/libipt=5Frecent=2Eso_is_still_miss?= =?iso-8859-1?q?ing?=
|
From: Martin G. <sou...@gl...> - 2007-03-04 18:50:58
|
On Sunday 04 March 2007 09:54, Bruce Smith wrote: > > I'm not commenting on the problem here, but a possible enhancement for > > the default firewall script of DL. See below: > > > > # Rate limit ssh connection attempts to 3 per 5 minutes per IP. > > iptables -A INPUT -p tcp --dport 22 -i eth0 -m state \ > > --state NEW -m recent --set > > iptables -A INPUT -p tcp --dport 22 -i eth0 -m state \ > > --state NEW -m recent --update --seconds 300 --hitcount 3 -j DROP > > > > This one does not create an additional queue like most other solutions > > for this common problem. I've found these 2 lines at the end of > > firewall script to be rather effective, yet problemless. > > > > No more brute-force-attack-trash in ssh log files. You might want to > > increase 300 seconds to 1800 for 30 minutes. > > I've done similar things in some of my firewall scripts to combat the > brute-force ssh attacks. > > The main problem occurs if you do a lot of scp's. Each scp initiates a > new ssh connection, and you end up locking yourself out for the time > period. > > The best way I've found to harden ssh against the brute-force attacks is > to have ssh listen on a high/non-standard port number, and do not allow > password authentication (ssh keys only). > > I've never had a brute force attacker find one of my non-standard ssh > ports, and even if they did, they could never login because they are > trying passwords (which I don't allow). > > A better solution (IMO) would be a modification to openssh so it shuts > down an IP for a [configurable] period of time, after a [configurable] > number of bad authentication attempts. I even suggested that to one of > the openssh developers I once had a small email thread with. > While we ae on the topic of blocking ssh attacks, I found this article which lists the pros and cons of various methods - http://www.la-samhna.de/library/brutessh.html I currently use sshblock on a number of my machines and it is configurable and works very well - the only issue is that ssh has to be built with tcp_wrappers support (not currently in Devil). Is there any way of getting tcp_wrappers into DL? Thx Martin |
