Thomas Cameron wrote:
These attacks appear to me to fire multiple concurrent connections to
get around the delay.
Thomas
Possibly. I found a script out there and modified it a bit, this will
block the attacker after opening up 3 concurrent connections in 60 seconds:
modprobe ipt_recent ip_list_tot=200
IPADDR=67.110.180.110
$IPT -A INPUT -i $IF -p tcp \
-d $IPADDR --dport 22 -m state --state NEW -m recent --rcheck \
--hitcount 3 --seconds 60 --name SSH_PROBERS \
-j LOG --log-prefix "Adaptive-FW SSH Prober: "
$IPT -A INPUT -i $IF -p tcp \
-d $IPADDR --dport 22 -m state --state NEW -m recent \
--update --hitcount 3 --seconds 60 --name SSH_PROBERS \
-j DROP
$IPT -A INPUT -i $IF -p tcp \
-d $IPADDR --dport 22 -m state --state NEW -m recent \
--set --name SSH_PROBERS -j ACCEPT
So far this is working for me, it has a few drawbacks but seems simple
enough for now.