This is a discussion on Re: Advice on dealing with scripted SSH attacks? - openssh ; You can also use iptables for rate limiting, ala adding the following to your existing iptables configuration: -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ALLOWED :ALLOWED - [0:0] -A ALLOWED -p tcp -m state --state RELATED,ESTABLISHED ...
You can also use iptables for rate limiting, ala adding the following to
your existing iptables configuration:
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ALLOWED
:ALLOWED - [0:0]
-A ALLOWED -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A ALLOWED -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 3/min --limit-burst 3 -j ACCEPT
-A ALLOWED -p tcp -j LOG --log-prefix " DROP RATE_LIMIT " --log-tcp-options --log-ip-options
-A ALLOWED -p tcp -j REJECT --reject-with icmp-port-unreachable
That limits the bad connections to 3 per minute, and you don't have to
worry about DOSing yourself.
On Wed, 29 Mar 2006, Matt P wrote:
> You can also Wrap sshd within xinetd
> service ssh
> flags = REUSE
> socket_type = stream
> wait = no
> user = root
> protocol = tcp
> server = /usr/sbin/sshd
> server_args = -i
> log_type = FILE /var/log/sshdlog
> log_on_success = HOST PID DURATION EXIT
> log_on_failure = HOST ATTEMPT
> disable = no
> Shutdown sshd itself and bounce xinetd. then the hosts.allow and/or
> hosts.deny work.
> On 3/28/06, Joseph Spenner
>> --- "Zembower, Kevin"
>>> What's the current advice on dealing with scripts
>>> that repeatedly try to
>>> log onto SSH using a list of common usernames and
>>> 'password' for the
>>> password? I get up to 4,000 of these a day from a
>>> single server. In
>>> searching Google on this, I've learned of techniques
>>> using PAM and
>>> firewall rules that are created dynamically in
>>> response to log-in
>> I've seen systems where an entry is made in
>> /etc/hosts.allow for sshd: for the offending IP if too
>> many attempts are detected. But in order for this to
>> work, your sshd must be compiled with tcp_wrappers
>> I see this sort of attack a lot, and if the attacking
>> script hits a tcp wrapped ssh, it will stop
>> immediately. After a few minutes/hours, the entry can
>> be removed from hosts.allow (or not).
>> Do You Yahoo!?
>> Tired of spam? Yahoo! Mail has the best spam protection around