Interested in trying this, but can't seem to get it to work. I see
packets hitting the --set --name SSH rule, but the drop following it
never sees any packets. (using iptables -L -n -v). Seems like it should
work, looks like I've got all the modules loaded that I need...

phil

Ritesh Raj Sarraf said:
> Another solution besides using DenyHosts is to use the following set of
> iptables commands. (Courtesy: A friend who constantly monitors this list
> but wants to remain anonymous)
>
> ## create denylog chain
> iptables -N denylog
> iptables -A denylog -j LOG
> iptables -A denylog -j DROP
>
> ## SSH Bruteforce
> iptables -N SSH_WHITELIST
> iptables -A SSH_WHITELIST -s 10.0.1.0/24 -m recent --remove --name SSH
> - -j ACCEPT
> iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
> - --name SSH
> iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_WHITELIST
> iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent
> - --update --seconds 60 --hitcount 4 --rttl --name SSH -j denylog
>
>
>
> Creates a whilelist of one or more networks. All others are subject to
> inspection. More than 4 hits within 60 seconds are denied. In case of 60
> seconds without a hit, this rule is automatically cleared again. That's
> the magic of the "recent"-module of iptables. It works for me - and it's
> very useful!
>
> Thanks,
>
> rrs

--

phil


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)

iD8DBQFDSXPsGbd/rBLcaFwRAmoEAJ9s0zKyFw9ETxZ4XrOZtsbFh2LGiQCghlwH
iH7TDsgLrstVVYNajTHRwxo=
=qO8C
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

What's your iptables version ?


Phil Dyer on Monday 10 Oct 2005 01:17 wrote:

> Interested in trying this, but can't seem to get it to work. I see
> packets hitting the --set --name SSH rule, but the drop following it
> never sees any packets. (using iptables -L -n -v). Seems like it should
> work, looks like I've got all the modules loaded that I need...
>
> phil
>
> Ritesh Raj Sarraf said:
>> Another solution besides using DenyHosts is to use the following set of
>> iptables commands. (Courtesy: A friend who constantly monitors this list
>> but wants to remain anonymous)
>>
>> ## create denylog chain
>> iptables -N denylog
>> iptables -A denylog -j LOG
>> iptables -A denylog -j DROP
>>
>> ## SSH Bruteforce
>> iptables -N SSH_WHITELIST
>> iptables -A SSH_WHITELIST -s 10.0.1.0/24 -m recent --remove --name SSH
>> - -j ACCEPT
>> iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
>> - --name SSH
>> iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_WHITELIST
>> iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent
>> - --update --seconds 60 --hitcount 4 --rttl --name SSH -j denylog
>>
>>
>>
>> Creates a whilelist of one or more networks. All others are subject to
>> inspection. More than 4 hits within 60 seconds are denied. In case of 60
>> seconds without a hit, this rule is automatically cleared again. That's
>> the magic of the "recent"-module of iptables. It works for me - and it's
>> very useful!
>>
>> Thanks,
>>
>> rrs
>
> --
>
> phil

- --
Ritesh Raj Sarraf
RESEARCHUT -- http://www.researchut.com
Gnupg Key ID: 04F130BC
"Stealing logic from one person is plagiarism, stealing from many is
research."
"Necessity is the mother of invention."
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDSaps4Rhi6gTxMLwRAjPCAJ4m0sraFUimQuA+INibfk I5Vgj4AACdGV5c
GbL2Om2VKdCf+8WYOhIdgtY=
=LpSU
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Ritesh Raj Sarraf said:
> What's your iptables version ?

sarge 1.2.11-10.



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)

iD8DBQFDSb9+Gbd/rBLcaFwRAoOiAJ0e2rH21r7JX2lazmXQzbDkuVJXnwCfdJT4
t26O6/GAOOEC5GQRnejA9bw=
=H82b
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Phil Dyer on Monday 10 Oct 2005 06:40 wrote:

> Ritesh Raj Sarraf said:
>> What's your iptables version ?
>
> sarge 1.2.11-10.

Then it has to work.
I'm using the same and am very happy. The attacks have lowered down by 90%
because all were from automated scripts.

Please re-check the commands you're using.

## create denylog chain
iptables -N denylog
iptables -A denylog -j LOG
iptables -A denylog -j DROP

## SSH Bruteforce
iptables -N SSH_WHITELIST
iptables -A SSH_WHITELIST -s 10.0.1.0/24 -m recent --remove --name SSH
- -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
- --name SSH
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_WHITELIST
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent
- --update --seconds 60 --hitcount 4 --rttl --name SSH -j denylog



Creates a whilelist of one or more networks. All others are subject to
inspection. More than 4 hits within 60 seconds are denied. In case of 60
seconds without a hit, this rule is automatically cleared again. That's
the magic of the "recent"-module of iptables. It works for me - and it's
very useful!

HTH,

rrs
- --
Ritesh Raj Sarraf
RESEARCHUT -- http://www.researchut.com
Gnupg Key ID: 04F130BC
"Stealing logic from one person is plagiarism, stealing from many is
research."
"Necessity is the mother of invention."
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDSr4q4Rhi6gTxMLwRAg+cAJ0a1K+0EtXzkFmfIeJUBp AAmV2BfACgkDnA
2c94mlHWTogPT/8hpUBKsVA=
=jqvm
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Ritesh Raj Sarraf said:
> Phil Dyer on Monday 10 Oct 2005 06:40 wrote:
>
>>> Ritesh Raj Sarraf said:
>>>> What's your iptables version ?
>>>
>>> sarge 1.2.11-10.
>
> Then it has to work.

it does. If I could count to 4, I'd be dangerous.


--

phil


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)

iD8DBQFDSw//Gbd/rBLcaFwRAtCcAKC0L83T36SGdRDbZVqP2wyAbUwqNACfUL01
6YCtTYGJI95DE7cfgfYvplM=
=ISTO
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Phil Dyer on Tuesday 11 Oct 2005 06:36 wrote:

> it does. If I could count to 4, I'd be dangerous.

If you count to 4 _within_ sixty seconds.
I don't think a genuine user would login 4 times withing sixty seconds.

rrs
- --
Ritesh Raj Sarraf
RESEARCHUT -- http://www.researchut.com
Gnupg Key ID: 04F130BC
"Stealing logic from one person is plagiarism, stealing from many is
research."
"Necessity is the mother of invention."
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDTAPX4Rhi6gTxMLwRAr2oAJ9c9KXhsrN/itD6xZlxGXej6qTrSACffvpk
T1twJRMQDoS7LUx6dB2tayE=
=WWHO
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Ritesh Raj Sarraf said:
> Phil Dyer on Tuesday 11 Oct 2005 06:36 wrote:
>
>>> it does. If I could count to 4, I'd be dangerous.
>
> If you count to 4 _within_ sixty seconds.
> I don't think a genuine user would login 4 times withing sixty seconds.

what I was doing to test was ssh'ing from another box that i manage. ssh
gives you three login attempts before giving up. I was counting that as
3 attempts. Of course, all three of those are in the same tcp session,
so there's only one SYN packet there. duh. anyway, seems to work as
advertised. thanks.

--

phil


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)

iD8DBQFDTDcuGbd/rBLcaFwRAveSAKCk/eumcwinuYxycxTK7QBFf4DZvwCeJEE8
nZhjCCKbehH7Az51DZ53kz8=
=SfI7
-----END PGP SIGNATURE-----