Iptables

от ILuxWiki

Направо към: навигация, търсене

How to deter SSH brute force login attacks with iptables

Using the iptables recent module it's easy to stop ssh login brute force attacks. Every times a tcp connection to our ssh daemon is torn down, we update our temporary list of IP connecting to our ssh daemon. If the same IP connects more than 4 times during 60 seconds, it will be blocked. Adjust --hitcount and --seconds to fit your needs. 

iptables -A INPUT -p tcp -m state --state ESTABLISHED --tcp-flags FIN,ACK
FIN,ACK --dport 22 -m recent --name sshattack --set

iptables -A INPUT -p tcp -m state --state ESTABLISHED --tcp-flags RST RST
--dport 22 -m recent --name sshattack --set

iptables -A INPUT -m recent --name sshattack --rcheck --seconds 60
--hitcount 4 -m limit --limit 4/minute -j LOG --log-prefix 'SSH attack: '

iptables -A INPUT -m recent --name sshattack --rcheck --seconds 60
--hitcount 4 -j DROP

This solution is better than the one matching syn packet because it doesn't suffer from DoS when one sends spoofed syn packet with a crafted IP source of a legitimate ssh user.

Взето от „http://wiki.linuxfan.org/index.php/Iptables“.