[CentOS] Ideas for stopping ssh brute force attacks
centos at linuxpowered.net
Mon Jul 21 22:48:31 UTC 2008
D Steward wrote:
> Because I don't believe a solution such as fail2ban will scale (it can't
> be healthy having tens of thousands of IPs in iptables), I use denyhosts
Wherever possible I use layer 2 bridging OpenBSD firewalls in front of
my networks, I don't have a problem with brute force attacks but it
seems it can scale to tens of thousands of IPs without a problem. I'm
not sure if iptables has similar capabilities or not --
"[..]Lookups against a table are very fast and consume less memory and
processor time than lists. For this reason, a table is ideal for holding
a large group of addresses as the lookup time on a table holding 50,000
addresses is only slightly more than for one holding 50 addresses"
And the pf equivilent to the iptables throttling:
table <abusive_hosts> persist
block in quick from <abusive_hosts>
pass in on $ext_if proto tcp to $web_server \
port www flags S/SA keep state \
(max-src-conn 100, max-src-conn-rate 15/5, overload <abusive_hosts>
This does the following:
* Limits the maximum number of connections per source to 100
* Rate limits the number of connections to 15 in a 5 second span
* Puts the IP address of any host that breaks these limits into the
* For any offending IP addresses, flush any states created by this rule.
I don't like/use OpenBSD for anything other than firewalls. But I
do think as a firewall, pf really can't be beat, the configuration
for typical rules just 'flows'. IPTables by comparison is so cryptic.
(speaking as a past user of ipfwadm, ipfw, ipchains, iptables, pf,
and Cisco PIX, which is probably the worst of the ones I've used).
I use linux pretty much everywhere else other than firewalls. Even
my preferred network gear - load balancers and switches run linux
More information about the CentOS