[PLUG] Denyhosts, Cracking Attempts, and Intensity

Joe Pruett joey at clean.q7.com
Fri Jun 5 18:48:15 UTC 2009


> And I'll recommend this iptables recipe again. (CentOS 5.3 system -
> /etc/sysconfig/iptables -- therefore Redhat, Fedora, SciLinux, Whitebox
>  should be similar.  You'll have to figure it out for if you're using
> something else.)
>
> #+# Handle brute force assaults.
> -N SSH_WHITELIST
> -A SSH_WHITELIST -s 192.168.42.42 -m recent --remove --name SSH -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp --dport 22 -m state --state NEW -m recent
> --set --name SSH
> -A RH-Firewall-1-INPUT -p tcp --dport 22 -m state --state NEW -j
> SSH_WHITELIST
> -A RH-Firewall-1-INPUT -p tcp --dport 22 -m state --state NEW -m recent
> --update  --seconds 60 --hitcount 4 --rttl --name SSH -j LOG
> --log-prefix "SSH_brute_force "
> -A RH-Firewall-1-INPUT -p tcp --dport 22 -m state --state NEW -m recent
> --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
> ###
> #+#
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j
> ACCEPT

maybe the recent module is smart enough to not double count for the same 
packet, but you rules would be clearer with a log-drop rule you can jump 
to.  something like:

-N LOG-DROP
-A LOG-DROP -j LOG
-A LOG-DROP -j DROP

-A RH-Firewall-1-INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG-DROP

that way you invoke the recent module just once and then log and drop 
based on that.



More information about the PLUG mailing list