Brent Clark wrote:
Hi All
One one of my hosted boxes, my logwatch scripts continuously pipe out my
ssh and auth log of unsuccessful dictionary attacks
Change the sshd listener port to a highport..
I came across this link : http://blog.andrew.net.au/2005/02/17/
And seen that it would help me slow (in hope) that malious person done.
Would anyone care to comment / share tips etc on what I have below
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
--name SSH
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_WHITELIST
iptables -A SSH_WHITELIST -s $MYIPADDRESS -m recent --remove --name SSH
-j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent
--update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix
"SSH BRUTE"
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent
--update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
Interesting, but will have to experiment a bit before commenting.
Is $MYIPADDRESS your (rfc)private IP?
If so, is your intent to remove yourself here?
--
Kind regards,
Mogens Valentin
"One thing you can say about ignorance,
it causes a lot of interesting arguments."
-- Bob Heil (from his book "Concert Sound")
