|
iptables for ssh brute force attacks
Had a new client ask me to take a look at his machines today, found a nice number of brute force ssh attempts. Hopefully it'll help someone out:
#!/bin/sh PATH=/sbin iptables -N sshthrottle iptables -A sshthrottle -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A sshthrottle -p TCP --syn -m limit --limit 3/minute --limit-burst 3 -j ACCEPT iptables -A sshthrottle -p TCP -j LOG --log-level "NOTICE" --log-prefix '[DROP:RATE_LIMIT] ' iptables -A sshthrottle -p TCP -j REJECT iptables -I INPUT -p TCP -s 0/0 --dport 22 -j sshthrottle This sets up a rule that is triggered by more then 3 hits to ssh port by same source IP in one minute, then activates the sshthrottle rule which rejects the packets after that and logs them with the '[DROP:RATE_LIMIT]' tag Dig it out of your syslog/messages later with this: cat $file | sed -e 's/SRC=//g' | sort | uniq -c | sort -n grep RATE_LIMIT firewall | awk '{print $10}' | sed -e 's/SRC=//g' | sort | uniq -c | sort -n |
isnt that a bit low, three in a minute? shoudnt that be 3 in one second?
|
| All times are GMT -7. The time now is 12:28 PM. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
©2000-, AI Media Network Inc123