Here is how I implemented it, coincidentially today :)
# Allow already established traffic
$IPTABLES -A INPUT -p TCP -m state --state ESTABLISHED -j ACCEPT
# No more than 2 connection attempts per 2
# minutes to prevent brute force attacks
# log blocked attempts to /var/log/kern.log
$IPTABLES -A INPUT -p TCP --dport $SSH_PORT -m state --state
NEW -m recent --name blacklist --set
$IPTABLES -A INPUT -p TCP --dport $SSH_PORT -m state --state
NEW -m recent --name blacklist --rcheck \
--seconds 120 --hitcount 3 -j LOG --log-level 5
--log-prefix "max con attempts exceeded: "
$IPTABLES -A INPUT -p TCP --dport $SSH_PORT -m state --state
NEW -m recent --name blacklist --update \
--seconds 120 --hitcount 3 -j DROP
# only allow connections to localhost on $SSH_PORT if IP has
# knocked on $SSH_KNOCK_PORT within the last 60 seconds
$IPTABLES -A INPUT -p TCP --dport $SSH_KNOCK_PORT -m state
--state NEW -m recent \
--name knocklist --set
$IPTABLES -A INPUT -p TCP --dport $SSH_PORT -m state --state
NEW -m recent \
--name knocklist --rcheck --seconds 60 -j ACCEPT
the latter one can also be achieved using the debian package "knockd"
On Thu, Jan 1, 2009 at 4:51 PM, Justin Piszcz <jpis...@lucidpixels.com> wrote:
>
>
> On Thu, 1 Jan 2009, Napoleon wrote:
>
>> I'll admit I'm still pretty green at a lot of this (lots of experience in
>> computers, little in Linux) and don't understand everything. But I'm trying
>> to learn, so please go easy on me :-)
>>
>> I've been having a problem with dictionary hacker attempts on my system
>> (hundreds or even thousands a day), so I implemented the following rules:
>>
>> # Kill ssh hackers - watch for more than 3 connection attempts in under
>> # 15 minutes seconds and reject for 24 hours
>> iptables -N SSH-EVIL
>> iptables -A SSH-EVIL -m recent --name badSSH --set -j LOG --log-level
>> DEBUG --log-prefix "evil SSH user: "
>> iptables -A SSH-EVIL -j REJECT
>>
>> iptables -N SSH
>> iptables -A SSH -p tcp ! --syn -m state --state ESTABLISHED,RELATED -j
>> ACCEPT
>> iptables -A SSH -p tcp --syn -m recent --name badSSH --rcheck --seconds
>> 86400 -j REJECT
>> iptables -A SSH -p tcp --syn -m recent --name sshconn --rcheck --seconds
>> 900 --hitcount 3 -j SSH-EVIL
>> iptables -A SSH -p tcp --syn -m recent --name sshconn --set
>> iptables -A SSH -p tcp --syn -j ACCEPT
>>
>> And something similar for ftp. These work well. But I'm also getting
>> people trying to break in via the POP interface (I'm using qpopper). So I
>> tried the following, which does not work:
>>
>> iptables -N POP-EVIL
>> iptables -A POP-EVIL -m recent --name badPOP --set -j LOG --log-level
>> DEBUG --log-prefix "evil POP user: "
>> iptables -A POP-EVIL -j REJECT
>>
>> iptables -N POP
>> iptables -A POP -p tcp -i eth0 --dport 110 ! --syn -m state --state
>> ESTABLISHED,RELATED -j ACCEPT
>> iptables -A POP -p tcp -i eth0 --dport 110 -m recent --name badPOP
>> --rcheck --seconds 86400 -j REJECT
>> iptables -A POP -p tcp -i eth0 --dport 110 -m recent --name popconn
>> --rcheck --seconds 900 --hitcount 5 -j POP-EVIL
>> iptables -A POP -p tcp -i eth0 --dport 110 -m recent --name popconn --set
>> iptables -A FTP -p tcp --syn -j ACCEPT
>>
>> So my question is - what am I doing wrong in the POP interface, and how
>> can I stop it here, also.
>>
>>
>> --
>> To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a
>> subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
>>
>
> Solution: apt-get install fail2ban (read up on the docs, it can drop IPs
> based on attempts etc)
>
> Justin.
>
>
> --
> To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject
> of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
>
--
David Schmidt | http://www.fm5.at
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
