Re: SSH hank attempts��bad?

Blake B. shadoi at nanovoid.com
Wed Apr 12 09:10:01 MDT 2006


On Apr 12, 2006, at 7:22 AM, Chris Carey wrote:

> If you want a very nice dynamic port blocker , try  Port Scan Attack
> Detector (PSAD) http://www.cipherdyne.com/psad/
>
> Though, you could spend your whole life fighting this losing battle.
> My opinion is to set your security in place, and forget about it.


I agree with that completely.  But I like simplicity.  I just use  
rate-limiting, I get maybe 2 or 3 attempts at SSH on port 22 a day.   
With this method they give up very quickly.

sudo iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW  
-m recent --set
sudo iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW  
-m recent   --update --seconds 60 --hitcount 4 -j DROP

Anything that hits port 22 more than 4 times within 60 seconds gets  
blocked.  This is obviously vulnerable to throttling the attacks, but  
it's always automated, and they're usually only interested in the low- 
hanging fruit.

-Blake



More information about the PLUG mailing list