Successful SSH Attack - Need help cleaning up

Blake Barnett shadoi at nanovoid.com
Fri Oct 27 19:25:33 MDT 2006


On Oct 27, 2006, at 4:52 PM, Chris Carey wrote:

> On 10/27/06, Kyle Waters <unum at unum5.org> wrote:
>>
>> Someone suggested moving the ssh port to a different port, I think  
>> this
>> is an excellent suggestion.  You may also want to also consider  
>> setting
>> a rate limit using iptables so that it is more difficult for  
>> someone to
>> use a brute force attack.  If you do set up rate limiting your users
>> will not have to make any changes on their end.
>
> Good idea. Could someone please post a sample iptables rate-limit for
> brute force attempts? I may get around to writing my own tonight
> unless someone has already done the homework. I guess one would need a
> rule that triggers on too many SYN per second to the SSH port?. I
> wouldnt want the rule to trigger on an already established connection.
> We can't have it simply look for packets-per-second.

sudo iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW  
-m recent --set
sudo iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW  
-m recent   --update --seconds 60 --hitcount 4 -j DROP

Anything that hits port 22 more than 4 times within 60 seconds gets  
blocked.  Change the numbers to suit your situation.

-Blake



More information about the PLUG mailing list