OT: illegal user logon

To: Dr Gavin Seddon <gavin.m.seddon@man.ac.uk>
Cc: amd64list <debian-amd64@lists.debian.org>
Subject: OT: illegal user logon
From: Brett Viren <bv@bnl.gov>
Date: Mon, 22 Aug 2005 09:39:36 -0400
Message-id: <[🔎] ir4zmra9jl3.fsf@minos.phy.bnl.gov>
In-reply-to: <[🔎] 1124565007.4392.3.camel@localhost.localdomain> (Gavin Seddon's message of "Sat, 20 Aug 2005 19:10:07 +0000")
References: <[🔎] 1124565007.4392.3.camel@localhost.localdomain>

Not AMD64 specific, but I use the following iptables script:

#!/bin/sh
# Start fresh
iptables -F

# Deal with SSH connections.
iptables -N sshchain
iptables -N sshscan

# Do the block
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j sshchain
iptables -A sshchain -m conntrack --ctstate NEW -m recent --name sshattempts --set
iptables -A sshchain -m recent --rcheck --seconds 60 --hitcount 10 --name sshattempts --rsource -j sshscan

# log when it happens, 
iptables -A sshscan -m recent --rcheck --hitcount 3 --seconds 600 -j LOG --log-prefix "SSH to many: "
iptables -A sshscan -j DROP
##################

It blocks all IPs that make more than 10 SSH connect attempts per
minute.  This is more than generous because my most forgetful
legitimate user only manages two or three failures total per login
attempt.  But, it is enough to dramatically reduce the amount of
nefarious failures.

-Brett.

Reply to:

References:
- illegal user logon
  - From: Dr Gavin Seddon <gavin.m.seddon@man.ac.uk>

Prev by Date: Re: illegal user logon
Next by Date: Re: illegal user logon
Previous by thread: Re: illegal user logon
Next by thread: Mounting 32 bit-created XFS on AMD64: Bad???
Index(es):
- Date
- Thread