[PLUG] IPtables internal port forwarding

Roderick A. Anderson raanders at cyber-office.net
Wed May 6 22:58:26 UTC 2009


Rich Shepard wrote:
> On Wed, 6 May 2009, chris (fool) mccraw wrote:
> 
>> i rolled this out after i got tired of playing whack-a-mole and to my
>> delight discovered that no scanner in the past 8 months (since i rolled it
>> out) continues to scan more than a handful of times after the connection
>> is refused.
> 
>    On the advice of many, I installed denyhosts here and it works like a
> charm. However, I still see dozens to hundreds of attempts from the same IP
> address to ssh in and even more trying brute force attacks to find a valid
> username.

 From my /etc/sysconfig/iptables file. (CentOS 5.3 systems)

...
#+# 20090120raa - Handle brute force assaults.
-N SSH_WHITELIST
# You can put in as many of these as you like replacing $IP_TO_WHITELIST
# with a valid IP
-A SSH_WHITELIST -s $IP_TO_WHITELIST -m recent --remove --name SSH -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp --dport 22 -m state --state NEW -m recent 
--set --name SSH
-A RH-Firewall-1-INPUT -p tcp --dport 22 -m state --state NEW -j 
SSH_WHITELIST
-A RH-Firewall-1-INPUT -p tcp --dport 22 -m state --state NEW -m recent 
--update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix 
"SSH_brute_force "
-A RH-Firewall-1-INPUT -p tcp --dport 22 -m state --state NEW -m recent 
--update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
###
...

Email line breaks are yours to have and hold ... figure out.  :-)

This cut my logwatch from having several hundred to several thousands a 
day to less than 10.


\\||/
Rod
-- 
>    Between the NetGear firewall appliance and denyhosts they've all been kept
> out.
> 
> Rich
> 




More information about the PLUG mailing list