Re: SSH Brute force attacks

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Brent, Hi List,

On Wednesday, May 25, 2005 7:35 AM,
Brent Clark wrote:

For some funny reason I still cant seem to get this right.
I tried connecting from home (dynamic assigned ip) and I still cant
connect.

From having a short look over your ruleset, I can't find a rule that finally
accepts NEW ssh connections after the packet successfully passed the bruteforce section. Perhaps you want to append an ACCEPT rule for that, so the whole block about ssh looks like the following:

[...]
$IPT -N SSH_Brute_Force
[...]
$IPT -A SSH_Brute_Force -j DROP
# Now finally accept NEW ssh traffic
$IPT -t filter -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
[...]

An alternative way might be replacing the RETURN targets with ACCEPT. Though I think the way with RETURN is cleaner. For if you append other DROP rules to your ruleset later, you might wonder why some ssh connections are magically accepted.
Speaking of cleanliness: maybe you also want to remove the final DROP rule and set the policy of the INPUT chain to DROP instead. But this should not affect functionality ;-)
Oh, almost forgot: sometimes the reason for strange behaviour is your rules not getting flushed. Don't think it's the case here, but if it still does not work after adding the ACCEPT rule... ;-)


Good Luck!

Marius



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux