Re: howto block ssh brute-force

To: philsf79@gmail.com
Cc: debian-security@lists.debian.org
Subject: Re: howto block ssh brute-force
From: TiB <repasi.tibor@chello.hu>
Date: Sun, 12 Mar 2006 09:27:05 +0100
Message-id: <[🔎] 4413DB59.8020105@chello.hu>
In-reply-to: <[🔎] 385d1e010603112350g5c11a3b1ha21ed67f5e6e7e63@mail.gmail.com>
References: <[🔎] 385d1e010603112350g5c11a3b1ha21ed67f5e6e7e63@mail.gmail.com>

Felipe Figueiredo wrote:

Hello,

once in a while (say, every two weeks) I get a brute-force
login/password scan attempt in my server (i.e., a single ip tries
dictionary account names and passwords at random). SSH access is
needed by many users, and  (RSA/DSA key)-only access is, at present
time, unwanted. So far none such attempt was lucky (to my knowlege),
but it always gives me creeps when I see unusually big logwatch
reports, and my contacts to sysadmins of originating networks are
usually ignored.

Any ideas?

Maybe there is a way to temporarily block ips upon such attempts (is
this a FAQ?), or maybe divert them like what portsentry does for
portscans?

I'm using to limit access from a each address to 3 connections perminute. It's easy to set up and works fine using iptables ipt_recentmodule.


e.g.:

## SSH flood protection

iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60--hitcount 3 --rttl --name SSH -j LOG --log-prefix "SSH conn flooding "iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60--hitcount 3 --rttl --name SSH -j DROPiptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set--name SSH -j ACCEPT


regards,
   RT

Reply to:

Follow-Ups:
- Re: howto block ssh brute-force
  - From: martin f krafft <madduck@debian.org>

References:
- howto block ssh brute-force
  - From: "Felipe Figueiredo" <philsf@ufrj.br>

Prev by Date: howto block ssh brute-force
Next by Date: Re: howto block ssh brute-force
Previous by thread: howto block ssh brute-force
Next by thread: Re: howto block ssh brute-force
Index(es):
- Date
- Thread