On 03/17/2010 11:24 PM, Michał Piotrowski wrote: > 2010/3/17 Eric Sandeen<sandeen@xxxxxxxxxx>: >> Michał Piotrowski wrote: >>> Hi, >>> >>> I recetly had 30 hours of ssh brute force attack on my system. I'm >>> using strong passwords, but still can be geneated from /dev/random, so >>> I switched to rsa authentication. What's your favourite way to deal >>> with such attacks? Please describe pros and cons. >>> >>> Regards, >>> Michal >> >> Aside from not allowing password logins, I throttle them, they usually >> get tired and go away to an easier target. >> >> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -m limit --limit 1/minute --limit-burst 2 -j ACCEPT > > If I understand correctly - this limits ssh connections to two > connections per minute. I tried it before on my devel server without > success. I tried it now with your configuration also without success. > > I used > -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -m limit > --limit 2/minute --limit-burst 2 -j ACCEPT > and I still can connect to ssh as many times as I want. This needs to be followed by: -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j DROP That way as long as you stay within the limiting conditions you get ACCEPTed by the first rule but if you make more ssh attempts the limit rule no longer applies and you get DROPed instead. Regards, Dennis -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
