Re: DenyHosts

[Reco <recoverym4n@gmail.com>]

	Hi.

On Fri, 15 Jan 2016 16:37:48 -0500
Steve Matzura <sm@noisynotes.com> wrote:

> My new fledgling server is being slammed, and I mean slammed like
> Sandy slammed New York, by root login attacks from 59.46.71.36,
> ShenYang, China. Of course, I don't allow root logins except from the
> console or via ssh key pair, so I presume I'm safe that way, but I'd
> sure like to cut down on the log churning of /var/log/auth.log,
> particularly since it makes it harder to read that log to get the
> stuff I need to know out of it. My router (Fios Quantum gateway) is
> useless at blocking anything from the outside, so I've got to do it
> internally. What are folks' favorite deny-hosts applications? I tried
> installing DenyHosts, but it must be from a private repo because
> whatever I have in sources couldn't find it.

Why bother with userspace when you can force a kernel to do the job?

A simple solution:

iptables -I INPUT -p dcp -s 59.46.71.0/24 -j DROP

A complex one:

iptables -I INPUT -p tcp --dport 22 -m conntrack --ctstate NEW \
	-m hashlimit --hashlimit 1/hour --hashlimit-burst 16 \
	--hashlimit-mode srcip --hashlimit-name ssh \
	--hashlimit-htable-expire 60000 -j ACCEPT

iptables -I INPUT -p tcp --dport 22 --tcp-flags SYN,RST,ACK SYN \
	-j DROP

Reco