A friend of mine wrote a perl script some time ago that would watch the log and it a number of occurrences happened over a period of time he'd block the source IP to the SSH port for a period of time. He'd also send himself an email if the threshold hit a certain number from a particular IP address. Not sure if this directly helps but I figure it wouldn't hurt. Gary > -----Original Message----- > From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx [mailto:netfilter- > bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Brent Clark > Sent: Friday, May 06, 2005 8:58 AM > To: iptables > Subject: SSH Brute force attacks > > Hi All > > One one of my hosted boxes, my logwatch scripts continuously pipe out my > ssh and auth log of unsuccessful dictionary attacks > > I came across this link : http://blog.andrew.net.au/2005/02/17/ > > And seen that it would help me slow (in hope) that malious person done. > > Would anyone care to comment / share tips etc on what I have below > > iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set > --name SSH > iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_WHITELIST > iptables -A SSH_WHITELIST -s $MYIPADDRESS -m recent --remove --name SSH > -j ACCEPT > iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent > --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix > "SSH BRUTE" > iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent > --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP > > Kind Regards > Brent Clark
