[CentOS] Re: ssh attack

Thu Feb 16 10:59:07 UTC 2006
Kay Diederichs <kay.diederichs at uni-konstanz.de>

Max wrote:
> John Merritt wrote:
>> Hi,
>> Thanks to everyone who responded. I learned a lot today.
> I found a cool project called DenyHosts that I just setup last evening 
> for this purpose. I haven't used it very long, but it was very easy to 
> setup, and seems to be working for me. I know it's cut down on the 
> invalid user logging in /var/log/secure in a matter of a day already, 
> and I've even left SSH traffic on port 22, just to make sure that it's 
> being hammered on.
> Check it out.
> <http://denyhosts.sourceforge.net/index.html>
> Max

a very simple way of denying repeated ssh access after the first time is to 
replace the

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

line in /etc/syconfig/iptables with the following two lines (the mailer might 
wrap them):

-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport ssh -m recent --name 
SSH --update --seconds 30 -j DROP
-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport ssh -m recent --name 
SSH --set -j ACCEPT

The only drawback is that a permitted user has to wait 30 seconds after the end 
of a ssh session before she can establish a new one.

Works very well here.