[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: howto block ssh brute-force

The only thing I can say is be *VERY* careful on a busy Linux box. iptables sucks. It's sequential, meaning every entry in a list has to be processed. Your best bet is to first match TCP SYN packets and jump to another separate chain ONLY for the SYN packets, then do your deny's there, and do stateful accept. State gets processed before the rest of the FW code, and statefully established sessions are in hash structures/radix lookup rather than a linked list. If the box does any sort of traffic or gets even a half-decent number of attacks you're pretty quickly find out that if you get a few hundred rules lines up the amount of CPU time spent per packet w/o these little tweaks is very high.
--On March 12, 2006 4:50:51 AM -0300 Felipe Figueiredo <philsf@ufrj.br> wrote: 


Hello,

once in a while (say, every two weeks) I get a brute-force
login/password scan attempt in my server (i.e., a single ip tries
dictionary account names and passwords at random). SSH access is
needed by many users, and  (RSA/DSA key)-only access is, at present
time, unwanted. So far none such attempt was lucky (to my knowlege),
but it always gives me creeps when I see unusually big logwatch
reports, and my contacts to sysadmins of originating networks are
usually ignored.

Any ideas?

Maybe there is a way to temporarily block ips upon such attempts (is
this a FAQ?), or maybe divert them like what portsentry does for
portscans?







--
Michael Loftis
Modwest Operations Manager
Powerful, Affordable Web Hosting
Reply to: