[PLUG] TCP Wrappers and IPs
Paul Mullen
pem at nellump.ath.cx
Tue Feb 21 18:11:02 UTC 2006
On Tue, Feb 21, 2006 at 07:58:58AM -0800, Ed Sawicki wrote:
>
> A far easier solution is to move ssh to a non-standard port.
That doesn't help when you're behind a firewall that blocks any
non-standard ports.
I just recently began using a nifty iptables trick that limits the
rate of new incoming SSH connections (three/minute in this case):
iptables -N SSH_LIMIT
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_LIMIT
iptables -A SSH_LIMIT -m state --state NEW -m recent --set --name SSH
iptables -A SSH_LIMIT -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --name SSH
iptables -A SSH_LIMIT -m state --state NEW -m recent --rcheck --seconds 60 --hitcount 4 --name SSH -j DROP
So far it works great. Where there used to be a zillion worm turds in
my auth.log, now there are only three per attacker. Seems like the
worms are smart enough to go away after being ignored.
Paul
More information about the PLUG
mailing list