[CentOS] One approach to dealing with SSH brute force attacks.

Wed Jan 30 17:17:22 UTC 2008
Ed Donahue <liberaled at gmail.com>

I use this one, works great and easy to setup

http://rfxnetworks.com/bfd.php

On Jan 30, 2008 11:54 AM, James B. Byrne <byrnejb at harte-lyne.ca> wrote:

> Message-ID: <479F2A63.2070408 at centos.org>
>
> On: Tue, 29 Jan 2008 07:30:11 -0600, Johnny Hughes <johnny at centos.org>
> Subject Was: [CentOS] Unknown rootkit causes compromised servers
>
> >
> > SOME of the script kiddies check higher ports for SSH *_BUT_* I only see
> > 4% of the brute force attempts to login on ports other than 22.
> >
> > I would say that dropping brute force login attempts by 96% is quite a
> > good reason to move the SSH port from 22 to something else.
>
> I am not a fan of security through obscurity.  If a port is open to the
> internet then it must be secured whether it is well known or not and if it
> is
> properly secured then changing the port number customarily assigned
> provides
> no measurable benefit.  In my opinion, arbitrarily switching port numbers
> for
> well known services provides only the illusion of security while often
> inconveniencing the legitimate users in unpredictable, and sometimes
> expensively resolved, fashions.
>
> To deal with brute force attacks (not just on ssh) I spent some time
> tracking
> down how others had dealt with the problem. I discovered thereby that one
> can
> use the simple linux firewall iptables to restrict the number of
> connections
> to a given port from a single source over a specified interval. I
> therefore
> added these rules to my /etc/sysconfig/iptables file:
>
> ...
> # This is usually present in all setups but, you never know....
> # Established connections go right through.
> -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> ...
>
> # Block brute force attacks
> # Drop repeated ssh connection attempts within 20 seconds interval
> -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -m recent -i eth0 --dport 22
> --state NEW -j DROP  --rcheck --seconds 20 --name THROTTLE --rsource
>
> # Accept ssh connection if not attempted within past 20 sec.
> -A RH-Firewall-1-INPUT -p tcp -m tcp -m state -m recent -i eth0 --dport 22
> --state NEW -j ACCEPT  --set --name THROTTLE --rsource
>
> You can change the interval from 20 seconds to whatever you feel
> represents a
> decent compromise between user satisfaction and security.  Many
> authorities
> considered a value between 3 and 6 seconds sufficient to render brute
> force
> attacks impractical.  These rules can be trivially modified to protect any
> destination port (-dport 21 for ftp for instance) or protocol (-p udp).
>
> I hope this information is of use to some of you.  I find this list and
> its
> archives very helpful myself.
>
> Regards,
>
> --
> ***          E-Mail is NOT a SECURE channel          ***
> James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
> Harte & Lyne Limited          http://www.harte-lyne.ca
> 9 Brockley Drive              vox: +1 905 561 1241
> Hamilton, Ontario             fax: +1 905 561 0757
> Canada  L8E 3C3
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos/attachments/20080130/ca3e7b21/attachment-0005.html>