Napoleon a écrit : > I'll admit I'm still pretty green at a lot of this (lots of experience > in computers, little in Linux) and don't understand everything. But I'm > trying to learn, so please go easy on me :-) > > I've been having a problem with dictionary hacker attempts on my system > (hundreds or even thousands a day), so I implemented the following rules: > > # Kill ssh hackers - watch for more than 3 connection attempts in under > # 15 minutes seconds and reject for 24 hours > iptables -N SSH-EVIL > iptables -A SSH-EVIL -m recent --name badSSH --set -j LOG --log-level > DEBUG --log-prefix "evil SSH user: " > iptables -A SSH-EVIL -j REJECT > > iptables -N SSH > iptables -A SSH -p tcp ! --syn -m state --state ESTABLISHED,RELATED -j > ACCEPT > iptables -A SSH -p tcp --syn -m recent --name badSSH --rcheck --seconds > 86400 -j REJECT > iptables -A SSH -p tcp --syn -m recent --name sshconn --rcheck --seconds > 900 --hitcount 3 -j SSH-EVIL > iptables -A SSH -p tcp --syn -m recent --name sshconn --set > iptables -A SSH -p tcp --syn -j ACCEPT > > And something similar for ftp. These work well. But I'm also getting > people trying to break in via the POP interface (I'm using qpopper). So > I tried the following, which does not work: > > iptables -N POP-EVIL > iptables -A POP-EVIL -m recent --name badPOP --set -j LOG --log-level > DEBUG --log-prefix "evil POP user: " > iptables -A POP-EVIL -j REJECT > > iptables -N POP > iptables -A POP -p tcp -i eth0 --dport 110 ! --syn -m state --state > ESTABLISHED,RELATED -j ACCEPT > iptables -A POP -p tcp -i eth0 --dport 110 -m recent --name badPOP > --rcheck --seconds 86400 -j REJECT > iptables -A POP -p tcp -i eth0 --dport 110 -m recent --name popconn > --rcheck --seconds 900 --hitcount 5 -j POP-EVIL > iptables -A POP -p tcp -i eth0 --dport 110 -m recent --name popconn --set > iptables -A FTP -p tcp --syn -j ACCEPT > > So my question is - what am I doing wrong in the POP interface, and how > can I stop it here, also. > >
If the attacker uses a single connection to the POP3 server, then the above won't help. it will only work if your POP3 disconnects after say 3 attempts. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
