[PLUG] Denyhosts, Cracking Attempts, and Intensity

Roderick A. Anderson raanders at cyber-office.net
Fri Jun 5 19:39:43 UTC 2009 

Joe Pruett wrote:
>> And I'll recommend this iptables recipe again. (CentOS 5.3 system -
>> /etc/sysconfig/iptables -- therefore Redhat, Fedora, SciLinux, Whitebox
>>  should be similar.  You'll have to figure it out for if you're using
>> something else.)
>>
>> #+# Handle brute force assaults.
>> -N SSH_WHITELIST
>> -A SSH_WHITELIST -s 192.168.42.42 -m recent --remove --name SSH -j ACCEPT
>> -A RH-Firewall-1-INPUT -p tcp --dport 22 -m state --state NEW -m recent
>> --set --name SSH
>> -A RH-Firewall-1-INPUT -p tcp --dport 22 -m state --state NEW -j
>> SSH_WHITELIST
>> -A RH-Firewall-1-INPUT -p tcp --dport 22 -m state --state NEW -m recent
>> --update  --seconds 60 --hitcount 4 --rttl --name SSH -j LOG
>> --log-prefix "SSH_brute_force "
>> -A RH-Firewall-1-INPUT -p tcp --dport 22 -m state --state NEW -m recent
>> --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
>> ###
>> #+#
>> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j
>> ACCEPT
> 
> maybe the recent module is smart enough to not double count for the same 
> packet, but you rules would be clearer with a log-drop rule you can jump 
> to.  something like:

Thanks.

I found this and it made sense to an almost-literate-with-route2 person. 
  When it worked and the logwatch entries dropped from 
tens/hundreds/thousands a day to less than ten I was thrilled.

I have been meaning to get rid of the logging since it goes the console 
of the server(s) which are in a colo 35 miles away.  This makes me brave 
enough to take that line out.  Didn't want to fiddle with what was 
working ... or don't fix what's not broken.

The other idea I had was to use TARPIT instead of DROP.  For most of the 
systems I deal with there are only a few IPs that need to access the 
system remotely so the idea of tarpitting the bogus connections gives me 
a warm-fuzzy feeling.  But I'm not sure if TARPIT is a standard module.

Again thanks.


\\||/
Rod
-- 
> 
> -N LOG-DROP
> -A LOG-DROP -j LOG
> -A LOG-DROP -j DROP
> 
> -A RH-Firewall-1-INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG-DROP
> 
> that way you invoke the recent module just once and then log and drop 
> based on that.
> _______________________________________________
> PLUG mailing list
> PLUG at lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug

More information about the PLUG mailing list