Re: SSH attack

To: Ritesh Raj Sarraf <rrs@researchut.com>
Cc: debian-user@lists.debian.org
Subject: Re: SSH attack
From: Jiann-Ming Su <sujiannming@gmail.com>
Date: Tue, 15 Nov 2005 14:04:03 -0500
Message-id: <[🔎] 561dc3260511151104h75c74879n99d53f0e9d981f02@mail.gmail.com>
In-reply-to: <Pine.LNX.4.64.0510151511060.24187@mail.logicalwebhost.com>
References: <Pine.LNX.3.96.1051010230303.19907A-100000@Maggie.Linux-Consulting.com> <434B6830.9050704@ix.netcom.com> <3f1760510110323i323f8ab5i@mail.gmail.com> <434C08D4.8020608@ix.netcom.com> <Pine.LNX.4.64.0510151511060.24187@mail.logicalwebhost.com>

On 10/15/05, Ritesh Raj Sarraf <rrs@researchut.com> wrote:
> ## SSH Bruteforce
> iptables -N SSH_WHITELIST
> iptables -A SSH_WHITELIST -s 10.0.1.0/24 -m recent --remove --name SSH -j ACCEPT
> iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
> iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_WHITELIST
> iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j denylog
>

While this is the best solution I've seen as well, there are some
issues with the "recent" module...

  http://lists.debian.org/debian-kernel/2005/10/msg00302.html

--
Jiann-Ming Su
"I have to decide between two equally frightening options.
 If I wanted to do that, I'd vote." --Duckman
"The system's broke, Hank.  The election baby has peed in
the bath water.  You got to throw 'em both out."  --Dale Gribble

Reply to:

Follow-Ups:
- Re: SSH attack
  - From: Ritesh Raj Sarraf <rrs@researchut.com>

Prev by Date: Re: Imap
Next by Date: Re: debian-user-digest Digest V2005 #2734
Previous by thread: Re: SSH attack
Next by thread: Re: SSH attack
Index(es):
- Date
- Thread