[PLUG] Denyhosts, Cracking Attempts, and Intensity
Joe Pruett
joey at clean.q7.com
Fri Jun 5 18:48:15 UTC 2009
> And I'll recommend this iptables recipe again. (CentOS 5.3 system -
> /etc/sysconfig/iptables -- therefore Redhat, Fedora, SciLinux, Whitebox
> should be similar. You'll have to figure it out for if you're using
> something else.)
>
> #+# Handle brute force assaults.
> -N SSH_WHITELIST
> -A SSH_WHITELIST -s 192.168.42.42 -m recent --remove --name SSH -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp --dport 22 -m state --state NEW -m recent
> --set --name SSH
> -A RH-Firewall-1-INPUT -p tcp --dport 22 -m state --state NEW -j
> SSH_WHITELIST
> -A RH-Firewall-1-INPUT -p tcp --dport 22 -m state --state NEW -m recent
> --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG
> --log-prefix "SSH_brute_force "
> -A RH-Firewall-1-INPUT -p tcp --dport 22 -m state --state NEW -m recent
> --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
> ###
> #+#
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j
> ACCEPT
maybe the recent module is smart enough to not double count for the same
packet, but you rules would be clearer with a log-drop rule you can jump
to. something like:
-N LOG-DROP
-A LOG-DROP -j LOG
-A LOG-DROP -j DROP
-A RH-Firewall-1-INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG-DROP
that way you invoke the recent module just once and then log and drop
based on that.
More information about the PLUG
mailing list