Re: SSH hank attempts��bad?

Blake B. shadoi at nanovoid.com
Wed Apr 12 12:46:40 MDT 2006


On Apr 12, 2006, at 9:51 AM, Chris Carey wrote:

> On 4/12/06, Blake B. <shadoi at nanovoid.com> wrote:
>>
>> I agree with that completely.  But I like simplicity.  I just use
>> rate-limiting, I get maybe 2 or 3 attempts at SSH on port 22 a day.
>> With this method they give up very quickly.
>>
>> sudo iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW
>> -m recent --set
>> sudo iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW
>> -m recent   --update --seconds 60 --hitcount 4 -j DROP
>>
>> Anything that hits port 22 more than 4 times within 60 seconds gets
>> blocked.  This is obviously vulnerable to throttling the attacks, but
>> it's always automated, and they're usually only interested in the  
>> low-
>> hanging fruit.
>>
>> -Blake
>
>
> This is cool.  Is the rate-limiting on port 22 only blocking the IP of
> the offending connection? *or* does it block port 22 for *everyone* if
> there are too many incoming connections?

Only the offending IP.  You can also use the "limit" module to do  
complete limiting without a blacklist (excerpt from http:// 
www.penguinsecurity.net/pensec/modules.php? 
name=News&file=article&sid=171):

One obvious application of rate limiting on incoming traffic is to  
block ping flooding. We can obviously block ping floods with a rule  
blocking incoming echo-request ICMP packets altogether, but this is  
inelegant; this is linux, remember? What we want to do, rather, is to  
allow such packets but only in small quantities. Have a look at the  
relevant rule:

     iptables -A INPUT -p ICMP -icmp-type echo-request $backslash$
     -m limit -limit 1/minute -limit-burst 5 -j ACCEPT

-Blake



More information about the PLUG mailing list