[GRLUG] Limiting SSH brute force attacks with IPTABLES (recent module)...
john-thomas richards
jtr at jrichards.org
Mon Feb 20 12:26:30 EST 2006
On Mon, Feb 20, 2006 at 12:15:15PM -0500, Godwin wrote:
> Nothing new, just a different way of handling it. I, for one, have
> used the "limit" module before, but the new "recent" way of blocking
> bad IP's seems better. Check it (as posted on digg.com):
>
> http://www.debian-administration.org/articles/187
> http://www.linux-noob.com/forums/index.php?showtopic=1829
>
> In essence, limit it to 3 atttempts per minute:
>
> iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent \
> --set
> iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent \
> --update --seconds 60 --hitcount 4 -j DROP
> iptables -A INPUT -p tcp --dport 22 -i eth0 -j ACCEPT
Several times per day I receive brute force attacks on port 22. Digg had the
DenyHosts script which detects such attacks and adds the IP address to
/etc/hosts.deny. Would it be better to ban the IP altogether rather than limit
the frequency with which the attacks can occur? The idea of denying the IP
appeals to me but I am not a security expert in any sense.
--
john-thomas
------
If the gods listened to the prayers of men, all humankind would quickly
perish since they constantly pray for many evils to befall one another.
Epicurus, philosopher (c. 341-270 BCE)
More information about the grlug
mailing list