On 1/31/07, Dominic Caputo <jec6jec6@xxxxxxxxx> wrote:
I have been reading up on iptables and i am by no means an expert but i have a problem with SSH brute force attacks on port 22. I am currently using the config below to minimise these threats but i am constantly getting false positives (logs actually say that my connection has been flagged as a brute force connection even on the on the first attempt-but then on others it connects first time with no problems) #SSH Brute-Force Scan Check $IPTABLES -N SSH_Brute_Force $IPTABLES -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name SSH --set --rsource -j SSH_Brute_Force $IPTABLES -A SSH_Brute_Force -m recent ! --rcheck --seconds 60 --hitcount 4 --name SSH --rsource -j ACCEPT $IPTABLES -A SSH_Brute_Force -j LOG --log-level info --log-prefix "SSH Brute Force Attempt: " $IPTABLES -A SSH_Brute_Force -p tcp -j DROP Any help with this problem would be great
About the problem with ssh brute force attacks, you can use portknocking [1]. There are several portknocking projects, but you can use portknocko project [2]. This is a netfilter module that implements portknocking in an easy way. This module works in kernel 2.6.15, for now. It will work in newer versions soon. We need more feedback about this project. We will be thankful for your comments. [1] http://www.portknocking.org [2] http://portknocko.berlios.de -- Federico
