--------- Mensagem Original -------- De: Dominic Caputo <jec6jec6@xxxxxxxxx> Para: netfilter@xxxxxxxxxxxxxxxxxxx <netfilter@xxxxxxxxxxxxxxxxxxx> Asunto: SSHBrute Force: False Postives Fecha: 01/02/07 02:30 > > I have been reading up on iptables and i am by no means an expert but i have > a problem with SSH brute force attacks on port 22. I am currently using the > config below to minimise these threats but i am constantly getting false > positives (logs actually say that my connection has been flagged as a brute > force connection even on the on the first attempt-but then on others it > connects first time with no problems) > > #SSH Brute-Force Scan Check > $IPTABLES -N SSH_Brute_Force > $IPTABLES -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name > SSH --set --rsource -j SSH_Brute_Force > $IPTABLES -A SSH_Brute_Force -m recent ! --rcheck --seconds 60 --hitcount > 4 --name SSH --rsource -j ACCEPT > $IPTABLES -A SSH_Brute_Force -j LOG --log-level info --log-prefix "SSH Brute > Force Attempt: " > $IPTABLES -A SSH_Brute_Force -p tcp -j DROP > > Any help with this problem would be great > > Dominic > .... you can start changing the ssh port from 22 to xxx... this doesnt solve your problem, but this mesure minimize this kind of attack like a 70% ________________________________________________ linux.pctools.cl
