[CentOS] [WTA] Automatically blocking on failed login
Tom Yates
madhatter at teaparty.net
Tue May 25 09:18:32 UTC 2010
On Tue, 25 May 2010, David wrote:
> I would like to use CentOS for all. I've a transparent firewall (CentOS
> + iptables) and I want to use it as a filter. I've been using iptables
> on the server machine (not in transparent firewall), and I want to get
> the job done by the firewall. Is it possible if my firewall to do this
> task? while being attacked is different computer?
sort of, yes. after some investigation and thought, i decided to protect
my ssh servers with rate-limiting, using iptables.
rate-limiting doesn't care whether a login succeeded or failed, it just
detects repeated attempts to connect from the same source address to the
same destination port, and blocks any past the first two in a rolling
60-second window (both parameters are of course configurable). this makes
it suitable for use on the firewall rather than the endpoint, and i
suspect it can be extended to IMAP and similar services (though mail
clients that wish to continually make new connections rather than keeping
existing ones open and reusing them will run into problems).
for sshd, analysis of last week's logs shows that the number of connection
attempts rejected this way each day varies from 2,200 to 82,000, while the
number of failed logins on sshd varies daily from 2 to 25 - so you can see
that this is somewhere between 99% and 99.997% effective at preventing
people from getting as far as a password-guessing attack. server load has
*substantially* decreased.
if this is of interest to you i wrote it the details up at
http://www.teaparty.net/technotes/ssh-rate-limiting.html .
--
Tom Yates - http://www.teaparty.net
More information about the CentOS
mailing list