Hi.
On Fri, 15 Jan 2016 16:37:48 -0500
Steve Matzura <s...@noisynotes.com> wrote:
> My new fledgling server is being slammed, and I mean slammed like
> Sandy slammed New York, by root login attacks from 59.46.71.36,
> ShenYang, China. Of course, I don't allow root logins except from the
> console or via ssh key pair, so I presume I'm safe that way, but I'd
> sure like to cut down on the log churning of /var/log/auth.log,
> particularly since it makes it harder to read that log to get the
> stuff I need to know out of it. My router (Fios Quantum gateway) is
> useless at blocking anything from the outside, so I've got to do it
> internally. What are folks' favorite deny-hosts applications? I tried
> installing DenyHosts, but it must be from a private repo because
> whatever I have in sources couldn't find it.
Why bother with userspace when you can force a kernel to do the job?
A simple solution:
iptables -I INPUT -p dcp -s 59.46.71.0/24 -j DROP
A complex one:
iptables -I INPUT -p tcp --dport 22 -m conntrack --ctstate NEW \
-m hashlimit --hashlimit 1/hour --hashlimit-burst 16 \
--hashlimit-mode srcip --hashlimit-name ssh \
--hashlimit-htable-expire 60000 -j ACCEPT
iptables -I INPUT -p tcp --dport 22 --tcp-flags SYN,RST,ACK SYN \
-j DROP
Reco
