On May 7, 2005 01:32 am, Taylor, Grant wrote: > > One one of my hosted boxes, my logwatch scripts continuously pipe out my > > ssh and auth log of unsuccessful dictionary attacks > > > > I came across this link : http://blog.andrew.net.au/2005/02/17/ > > Not a bad idea, but I think there is a little bit of room for growth. Grant: I think you've put together the basis for a FAQ on recent/TARPIT here -- and I like yer attitude *grin* Oskar A: If you'd like I can buff the following up some, but I think this deserves a mention in the iptables tutorial: > > # Let's jump to the SSH_Brute_Force chain if this is a new connection that > is not from my IP address. # This will prevent processing these rules for > non SSH traffic. > iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_Brute_Force > # Let's white list some IP addresses. > iptables -A SSH_Brute_Force -s $My_IP_Address -j RETURN > iptables -A SSH_Brute_Force -s $My_Friends_IP_Address -j RETURN > iptables -A SSH_Brute_Force -s $Any_other_IP_that_I_want_to_white list -j > RETURN # If there have not been 4 NEW connection attempts from this source > IP address in the last 60 seconds let's return to the INPUT chain. iptables > -A SSH_Brute_Force -m recent --name SSH ! --rcheck --seconds 60 -m recent > --hitcount 4 --set --name SSH -j RETURN # Well, the NEW connection has been > seen so let's update the SSH recent list. iptables -A SSH_Brute_Force -m > recent --name SSH --update > # I like to log on a line by it's self so I don't have to remember to do it > on my last line prior to the end of my script. iptables -A SSH_Brute_Force > -j LOG --log-prefix "SSH Brute Force Attempt: " # Let's send the person > that is trying to SSH in to us to the TARPIT target and make them think > twice before they try again. # TARPIT will force the site that is SSHing in > to us to timeout the connection. Sure stick you hand in my port, I'll grab > hold of it and not let go, # you will have to chew your arm off and grow a > new one and try again. I'll hold your new arm again and again and again > and... This should slow you down. iptables -A SSH_Brute_Force -j TARPIT > # I can be a mean vindictive SoB (Sweet Old Buzzard. NOT!) I like that in an admin. *grin* Alistair Tonner > > I tried putting in comments to explain the logic of what is going on, if > you have any questions please let me know. > > > > Grant. . . .
