Re: SSH Brute force attacks

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Taylor, Grant wrote:

This *IS* based the number of NEW connections in a given time frame. Note the "--seconds 60" parameter. This is designed to see if there have been less than x number of NEW connections in the 60 second period. If there have been less than x number of NEW connections in y time (seconds) then RETURN back to the calling chain and do not continue to parse this chain and ultimately TARPIT or DROP.

NOTE: Take a look at https://lists.netfilter.org/pipermail/netfilter/2005-May/060570.html as this email has a newer (functioning) version of this script.



Grant. . . .


HI all

Grant thanks for this.

I understand what you are saying, but what was hoping for. Was a solution whereby the src ip is not part of my whitelist.

For example, I have a dialup account (dynamic ip) at home. If I need to SSH into my linux box from home. I cant because the ip I have been allocted will not be in the whitelist.

Just something I was thinking.

Kind Regards
Brent Clark.

P.s. I am glad the ruleset does work (tried it from one of my foreign accounts) - THANKS FOR THIS. Really appreciate it.

May 19 09:46:46 ns kernel: [INPUT DROP]: IN=eth0 OUT= MAC=00:0c:76:5e:d3:61:00:d0:02:eb:84:0a:08:00 SRC=196.36.161.230 DST=217.199.186.118 LEN=60 TOS=0x10 PREC=0x00 TTL=49 ID=36165 DF PROTO=TCP SPT=52939 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A5C847EF80000000001030300)
May 19 09:46:49 ns kernel: [INPUT DROP]: IN=eth0 OUT= MAC=00:0c:76:5e:d3:61:00:d0:02:eb:84:0a:08:00 SRC=196.36.161.230 DST=217.199.186.118 LEN=60 TOS=0x10 PREC=0x00 TTL=49 ID=36166 DF PROTO=TCP SPT=52939 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A5C8480240000000001030300)
May 19 09:46:55 ns kernel: [INPUT DROP]: IN=eth0 OUT= MAC=00:0c:76:5e:d3:61:00:d0:02:eb:84:0a:08:00 SRC=218.83.155.71 DST=217.199.186.118 LEN=422 TOS=0x00 PREC=0x00 TTL=44 ID=0 DF PROTO=UDP SPT=59537 DPT=1027 LEN=402
May 19 09:46:55 ns kernel: [INPUT DROP]: IN=eth0 OUT= MAC=00:0c:76:5e:d3:61:00:d0:02:eb:84:0a:08:00 SRC=196.36.161.230 DST=217.199.186.118 LEN=60 TOS=0x10 PREC=0x00 TTL=49 ID=36167 DF PROTO=TCP SPT=52939 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A5C84827C0000000001030300)
May 19 09:47:07 ns kernel: [INPUT DROP]: IN=eth0 OUT= MAC=00:0c:76:5e:d3:61:00:d0:02:eb:84:0a:08:00 SRC=196.36.161.230 DST=217.199.186.118 LEN=60 TOS=0x10 PREC=0x00 TTL=49 ID=36168 DF PROTO=TCP SPT=52939 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A5C84872C0000000001030300)
May 19 09:47:31 ns kernel: SSH Brute Force Attempt: IN=eth0 OUT= MAC=00:0c:76:5e:d3:61:00:d0:02:eb:84:0a:08:00 SRC=196.36.161.230 DST=217.199.186.118 LEN=60 TOS=0x10 PREC=0x00 TTL=49 ID=36169 DF PROTO=TCP SPT=52939 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux