Taylor, Grant wrote:
# NetFilter MailList SSH_Brute_Force Chain version 1.0.
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name SSH --set --rsource -j SSH_Brute_Force
iptables -A SSH_Brute_Force -s $My_Home_Firewall_IP -j RETURN
iptables -A SSH_Brute_Force -s $My_Office_Firewall_IP -j RETURN
iptables -A SSH_Brute_Force -s $My_Girlfriends_Firewall_IP list -j RETURN
iptables -A SSH_Brute_Force -m recent ! --rcheck --seconds 60 --hitcount 3 --name SSH --rsource -j RETURN
iptables -A SSH_Brute_Force -j LOG --log-prefix "SSH Brute Force Attempt: "
iptables -A SSH_Brute_Force -p tcp -j TARPIT
Thanks, that is most informative. Here's an (hopefully) interesting
twist on that:
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set
--name SSH --rsource -j SSH
-A SSH -m recent --rcheck --seconds 300 --hitcount 7 --name SSH
--rsource -j DROP
-A SSH -m recent --rcheck --seconds 30 --hitcount 4 --name SSH --rsource
-j RETURN
-A SSH -j DROP
Now we must make 3 failed attempts to connect within 30 seconds then the
4'th through 7'th attempts will be allowed. Further attempts will not
be allowed until 5 minutes of idle time. Port scanners should blow
right past this thinking "the port is closed", you can still get in by
doing multiple attempts and anyone who does figure it out still can only
issue 4 brute attempts every 5 minutes.
