Re: SSHBrute Force: False Postives

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 1 Feb 2007, fender wrote:


On 1/31/07, Dominic Caputo <jec6jec6@xxxxxxxxx> wrote:
I have been reading up on iptables and i am by no means an expert but i have 
a problem with SSH brute force attacks on port 22. I am currently using the
config below to minimise these threats but i am constantly getting false
positives (logs actually say that my connection has been flagged as a brute
force connection even on the on the first attempt-but then on others it
connects first time with no problems)

#SSH Brute-Force Scan Check
$IPTABLES -N SSH_Brute_Force
$IPTABLES -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name
SSH --set --rsource -j SSH_Brute_Force
$IPTABLES -A SSH_Brute_Force -m recent ! --rcheck --seconds 60 --hitcount
4 --name SSH --rsource -j ACCEPT
$IPTABLES -A SSH_Brute_Force -j LOG --log-level info --log-prefix "SSH Brute 
Force Attempt:  "
$IPTABLES -A SSH_Brute_Force -p tcp -j DROP

Any help with this problem would be great



About the problem with ssh brute force attacks, you can use portknocking
[1]. There are several portknocking projects, but you can use
portknocko project [2]. This is a netfilter module that implements
portknocking in an easy way. This module works in kernel 2.6.15, for
now. It will work in newer versions soon. We need more feedback about
this project.

We will be thankful for your comments.


[1] http://www.portknocking.org
[2] http://portknocko.berlios.de

--
Federico



portknocking is merely security through obscurity, is it not?

especially so with modules that reside with preset defaults...

Thanks,

Ron DuFresne
- -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

                -Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFyOrTst+vzJSwZikRAkjqAJ0TbijLmTG4qZMVl7ZwXQu2cABfLACfRO/0
B78mFQx8+DCkDi/gY0vHgoo=
=dZEg
-----END PGP SIGNATURE-----
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux