How efficient is recent, I currently scan my log files for 'evil' activity and build up a list of around 2000s ip addresses which I place into a BLOCKED chain, there is about 2 lines per entry cause I TARPIT tcp sessions. But I could more easily manage it with recent as I can just use the test of are they in the list ! I am presuming it is more efficient to use recent cause it hashes the address ! can any one confirm this ? A On Sun, May 08, 2005 at 02:51:24PM -0400, Dwayne Hottinger wrote: > Cool. Ive been having the same issue for quite some time. Im going to look > hard at this. > > ddh > > > Quoting Alistair Tonner <Alistair@xxxxxxxxxx>: > > > On May 7, 2005 01:32 am, Taylor, Grant wrote: > > > > One one of my hosted boxes, my logwatch scripts continuously pipe out my > > > > ssh and auth log of unsuccessful dictionary attacks > > > > > > > > I came across this link : http://blog.andrew.net.au/2005/02/17/ > > > > > > Not a bad idea, but I think there is a little bit of room for growth. > > > > > > Grant: > > I think you've put together the basis for a FAQ on recent/TARPIT here -- > > and > > I like yer attitude *grin* > > > > Oskar A: > > > > If you'd like I can buff the following up some, but I think this deserves a > > mention in the iptables tutorial: > > > > > > > > # Let's jump to the SSH_Brute_Force chain if this is a new connection that > > > is not from my IP address. # This will prevent processing these rules for > > > non SSH traffic. > > > iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_Brute_Force > > > # Let's white list some IP addresses. > > > iptables -A SSH_Brute_Force -s $My_IP_Address -j RETURN > > > iptables -A SSH_Brute_Force -s $My_Friends_IP_Address -j RETURN > > > iptables -A SSH_Brute_Force -s $Any_other_IP_that_I_want_to_white list -j > > > RETURN # If there have not been 4 NEW connection attempts from this source > > > IP address in the last 60 seconds let's return to the INPUT chain. iptables > > > -A SSH_Brute_Force -m recent --name SSH ! --rcheck --seconds 60 -m recent > > > --hitcount 4 --set --name SSH -j RETURN # Well, the NEW connection has been > > > seen so let's update the SSH recent list. iptables -A SSH_Brute_Force -m > > > recent --name SSH --update > > > # I like to log on a line by it's self so I don't have to remember to do it > > > on my last line prior to the end of my script. iptables -A SSH_Brute_Force > > > -j LOG --log-prefix "SSH Brute Force Attempt: " # Let's send the person > > > that is trying to SSH in to us to the TARPIT target and make them think > > > twice before they try again. # TARPIT will force the site that is SSHing in > > > to us to timeout the connection. Sure stick you hand in my port, I'll grab > > > hold of it and not let go, # you will have to chew your arm off and grow a > > > new one and try again. I'll hold your new arm again and again and again > > > and... This should slow you down. iptables -A SSH_Brute_Force -j TARPIT > > > # I can be a mean vindictive SoB (Sweet Old Buzzard. NOT!) > > > > I like that in an admin. *grin* > > > > Alistair Tonner > > > > > > I tried putting in comments to explain the logic of what is going on, if > > > you have any questions please let me know. > > > > > > > > > > > > Grant. . . . > > > > > -- > Dwayne Hottinger > Network Administrator > Harrisonburg City Public Schools > >
Attachment:
signature.asc
Description: Digital signature
