Re: SSH Brute force attacks

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Is there a way to parse the attacker's IP and block it permanantly via:
iptables -A INPUT -s $IP -j DROP
and cat > /etc/hosts.deny ?

something close to what portsentry does, but using that SSH iptables
Brute force script.

This thread went big and confusion reigned on the latest version of the
Brute Force script, kindly post the latest/best iptable rules :)

thanks

On Mon, 2005-05-23 at 18:31 +0200, Brent Clark wrote:
> Taylor, Grant wrote:
> >> So... I cant see why I cant connect from a dynamically assigned ip.
> > 
> > 
> > Brent, I'll have to take a closer look at your script later on (complete 
> > flow analysis vs just the SSH_Brute_Force chain).  But for now it looks 
> > like you have both versions (original and updated one) in your firewall, 
> > this could be causing a few problems as I don't think it would take more 
> > than one attempt in a 60 second period to get your self to the point 
> > that you would be TARPITed / DROPed.  However I think that you would be 
> > able to connect at least 1 time from any dynamic remote IP in the 60 
> > second period.  Also keep in mind that the recent module (in the updated 
> > version) is using an --update option which will keep track of the number 
> > of times that you have tried to connect for 60 seconds after the last 
> > connection attempt.
> > 
> 
> Hi Grant
> 
> If you look carefully on the left, you will see I have hashed out the 
> original rules.
> 
> Thanks
> 
> Kind Regards
> Brent Clark
> 
-- 
Sadus . <sadus@xxxxxxxxxxxx>
Swiftbin.net



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux