You could also try using tcpwrappers along with iptables.
On 04/04/2011 06:34 AM, Marian Marinov wrote:
On Monday 04 April 2011 12:18:43 Rainer Traut wrote:
Hi,
to prevent scripted dictionary attacks to sshd I applied those iptables rules:
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --name SSH --rsource -j DROP -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -m recent --set --name SSH --rsource
And this is part of logwatch:
sshd: Authentication Failures: unknown (www.telkom.co.ke): 137 Time(s) unknown (mkongwe.jambo.co.ke): 130 Time(s) unknown (212.49.70.24): 107 Time(s) root (195.191.250.101): 8 Time(s)
How is it possible for an attacker to try to logon more then 4 times? Can the attacker do this with only one TCP/IP connection without establishing a new one? Or have the scripts been adapted to this?
The attackers are not trying constantly.. Just a few bursts of trys.
Look at denyhosts ( http://denyhosts.sourceforge.net/ ). I also have a tool for protecting from brute force attacks called Hawk ( https://github.com/hackman/Hawk-IDS-IPS ).
Marian
Thx Rainer _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos