On Sunday 2005-September-04 14:59, I wrote:
> -A Ssh -m state --state ESTABLISHED -j ACCEPT
> -A Ssh -m limit --limit 3/m --limit-burst 3 -j ACCEPT
> -A Ssh -m limit --limit 1/m --limit-burst 1 -j LOG --log-prefix "SSH attack: "
> -A Ssh -j REJECT
Originally when I did this I used DROP. DROP sent the bots away. But
results with REJECT today indicate a sort of tarpitting effect: one bot
took 11 minutes from start to finish, logging 33 attempts to
authenticate and 11 --log-prefix "SSH attack: " entries.
So it depends what your goal is. If you don't feel safe enough with
your sshd, use DROP. If you want to interfere with their operation,
REJECT.
I think that REJECT gives them an opportunity to DoS, to a small
extent. During that 11-minute attack I probably would not have been
able to SSH in. If that's so, DROP should effectively limit the DoS to
one minute per attack.
--
mail to this address is discarded unless "/dev/rob0"
or "not-spam" is in Subject: header
