[PLUG] IPtables internal port forwarding
Roderick A. Anderson
raanders at cyber-office.net
Wed May 6 22:58:26 UTC 2009
Rich Shepard wrote:
> On Wed, 6 May 2009, chris (fool) mccraw wrote:
>
>> i rolled this out after i got tired of playing whack-a-mole and to my
>> delight discovered that no scanner in the past 8 months (since i rolled it
>> out) continues to scan more than a handful of times after the connection
>> is refused.
>
> On the advice of many, I installed denyhosts here and it works like a
> charm. However, I still see dozens to hundreds of attempts from the same IP
> address to ssh in and even more trying brute force attacks to find a valid
> username.
From my /etc/sysconfig/iptables file. (CentOS 5.3 systems)
...
#+# 20090120raa - Handle brute force assaults.
-N SSH_WHITELIST
# You can put in as many of these as you like replacing $IP_TO_WHITELIST
# with a valid IP
-A SSH_WHITELIST -s $IP_TO_WHITELIST -m recent --remove --name SSH -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp --dport 22 -m state --state NEW -m recent
--set --name SSH
-A RH-Firewall-1-INPUT -p tcp --dport 22 -m state --state NEW -j
SSH_WHITELIST
-A RH-Firewall-1-INPUT -p tcp --dport 22 -m state --state NEW -m recent
--update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix
"SSH_brute_force "
-A RH-Firewall-1-INPUT -p tcp --dport 22 -m state --state NEW -m recent
--update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
###
...
Email line breaks are yours to have and hold ... figure out. :-)
This cut my logwatch from having several hundred to several thousands a
day to less than 10.
\\||/
Rod
--
> Between the NetGear firewall appliance and denyhosts they've all been kept
> out.
>
> Rich
>
More information about the PLUG
mailing list