[CentOS] Intrusion Attempt Prevension - iptables problems

Mon Jan 12 20:24:54 UTC 2009
James B. Byrne <byrnejb at harte-lyne.ca>

Thanks for the help.  I completely missed that error.

This guy is persistent.  After I cut off 220.232.152.137 we had intrusion
attempts from 216.107.171.10.  After I cut off that one then we had
attempts from 69.80.235.135.  Since blocking that network we have had no
more attempts recorded.

When I first detected this attempt I thought that my iptable ssh throttle
rules were somehow defective:

15   DROP       tcp  --  anywhere             anywhere            tcp
dpt:ssh state NEW recent: CHECK seconds: 15 name: THROTTLE side: source
16   ACCEPT     tcp  --  anywhere             anywhere            tcp
dpt:ssh state NEW recent: SET name: THROTTLE side: source


however, more careful consideration of the log entries showed that the
intruder was connecting every 23-24 seconds, which is outside the throttle
threshold of 15 seconds.  I am still concerned about any brute force
attempt to discover the root password but, given no more than four
connections per minute is possible, just how concerned should I be?

It is evident that this attacker had more than one netblock available.  It
is conceivable that, instead of serially attacking us, they could just
have easily attempted multiple simultaneous connections from all of their
available IP addresses.  This would completely defeat the current throttle
rules.  Should I also throttle the total number of new connections from
all IPs?


-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3