Re: SSH Brute force attacks

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Taylor, Grant wrote:
The first two LOG & DROPs are from the default LOG and DROP of your INPUT chain. For the packet to make it to this point in your input chain the packet had to traverse the SSH_Brute_Force chain where the source address was set in the SSH recent list. Seeing as how the source address has not been seen 3 times via the recent match extension and thus qualify for a RETURN to the input chain it is thus LOGed and DROPed by the default LOG and DROP targets of your input chain. Upon the third packet coming in to your firewall the packet will traverse the SSH_Brute_Force chain and no match the (inverse) "--hitcount 3" recent check and thus not get RETURNED to the input chain and subsequently get LOGed and DROPed by the SSH_Brute_Force chain. This explains the three log entries with the staggered times and the different log prefix based on where they are getting dropped. As such I think the solution to your particular situation is to use a target of ACCEPT, not RETURN on your 2nd SSH_Brute_Force rule that matches the "--hitcount 3". 

Give that a try and let me know if that works for you please.
Grant. . . .



AHHH it work

THANKS SOOOO much Grant

Really appreiate this

I did as you advised:

$IPT -N SSH_Brute_Force
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name SSH --set --rsource -j SSH_Brute_Force 
$IPT -A SSH_Brute_Force -s 196.36.10.114 -j ACCEPT
$IPT -A SSH_Brute_Force -m recent ! --rcheck --seconds 60 --hitcount 3 --name SSH --rsource -j ACCEPT 
$IPT -A SSH_Brute_Force -j LOG --log-prefix "SSH Brute Force Attempt:  "
$IPT -A SSH_Brute_Force -p tcp -j DROP

I can ssh in and look a this bugger
May 31 10:50:25 ns sshd[13099]: Failed password for root from 62.123.184.40 port 22646 ssh2 May 31 10:50:26 ns kernel: SSH Brute Force Attempt: IN=eth0 OUT= MAC=00:0c:76:5e:d3:61:00:d0:02:eb:84:0a:08:00 SRC=62.123.184.40 DST=217.199.186.118 LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=2712 DF PROTO=TCP SPT=22755 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 May 31 10:50:29 ns kernel: SSH Brute Force Attempt: IN=eth0 OUT= MAC=00:0c:76:5e:d3:61:00:d0:02:eb:84:0a:08:00 SRC=62.123.184.40 DST=217.199.186.118 LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=2713 DF PROTO=TCP SPT=22755 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 May 31 10:50:35 ns kernel: SSH Brute Force Attempt: IN=eth0 OUT= MAC=00:0c:76:5e:d3:61:00:d0:02:eb:84:0a:08:00 SRC=62.123.184.40 DST=217.199.186.118 LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=2714 DF PROTO=TCP SPT=22755 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 

Damn him for trying HEHEHEEH.

Thanks again Grant and all

Kind Regards
Brent Clark
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux