Felipe Figueiredo wrote:
Hello,
once in a while (say, every two weeks) I get a brute-force
login/password scan attempt in my server (i.e., a single ip tries
dictionary account names and passwords at random). SSH access is
needed by many users, and (RSA/DSA key)-only access is, at present
time, unwanted. So far none such attempt was lucky (to my knowlege),
but it always gives me creeps when I see unusually big logwatch
reports, and my contacts to sysadmins of originating networks are
usually ignored.
Any ideas?
Maybe there is a way to temporarily block ips upon such attempts (is
this a FAQ?), or maybe divert them like what portsentry does for
portscans?
I'm using to limit access from a each address to 3 connections per
minute. It's easy to set up and works fine using iptables ipt_recent
module.
e.g.:
## SSH flood protection
iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60
--hitcount 3 --rttl --name SSH -j LOG --log-prefix "SSH conn flooding "
iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60
--hitcount 3 --rttl --name SSH -j DROP
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
--name SSH -j ACCEPT
regards,
RT
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
