Cool. Ive been having the same issue for quite some time. Im going to look hard at this. ddh Quoting Alistair Tonner <Alistair@xxxxxxxxxx>: > On May 7, 2005 01:32 am, Taylor, Grant wrote: > > > One one of my hosted boxes, my logwatch scripts continuously pipe out my > > > ssh and auth log of unsuccessful dictionary attacks > > > > > > I came across this link : http://blog.andrew.net.au/2005/02/17/ > > > > Not a bad idea, but I think there is a little bit of room for growth. > > > Grant: > I think you've put together the basis for a FAQ on recent/TARPIT here -- > and > I like yer attitude *grin* > > Oskar A: > > If you'd like I can buff the following up some, but I think this deserves a > mention in the iptables tutorial: > > > > > # Let's jump to the SSH_Brute_Force chain if this is a new connection that > > is not from my IP address. # This will prevent processing these rules for > > non SSH traffic. > > iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_Brute_Force > > # Let's white list some IP addresses. > > iptables -A SSH_Brute_Force -s $My_IP_Address -j RETURN > > iptables -A SSH_Brute_Force -s $My_Friends_IP_Address -j RETURN > > iptables -A SSH_Brute_Force -s $Any_other_IP_that_I_want_to_white list -j > > RETURN # If there have not been 4 NEW connection attempts from this source > > IP address in the last 60 seconds let's return to the INPUT chain. iptables > > -A SSH_Brute_Force -m recent --name SSH ! --rcheck --seconds 60 -m recent > > --hitcount 4 --set --name SSH -j RETURN # Well, the NEW connection has been > > seen so let's update the SSH recent list. iptables -A SSH_Brute_Force -m > > recent --name SSH --update > > # I like to log on a line by it's self so I don't have to remember to do it > > on my last line prior to the end of my script. iptables -A SSH_Brute_Force > > -j LOG --log-prefix "SSH Brute Force Attempt: " # Let's send the person > > that is trying to SSH in to us to the TARPIT target and make them think > > twice before they try again. # TARPIT will force the site that is SSHing in > > to us to timeout the connection. Sure stick you hand in my port, I'll grab > > hold of it and not let go, # you will have to chew your arm off and grow a > > new one and try again. I'll hold your new arm again and again and again > > and... This should slow you down. iptables -A SSH_Brute_Force -j TARPIT > > # I can be a mean vindictive SoB (Sweet Old Buzzard. NOT!) > > I like that in an admin. *grin* > > Alistair Tonner > > > > I tried putting in comments to explain the logic of what is going on, if > > you have any questions please let me know. > > > > > > > > Grant. . . . > -- Dwayne Hottinger Network Administrator Harrisonburg City Public Schools
