[lug] SSH Probing Solution using IPTables

Dan Ferris dan at usrsbin.com
Wed Sep 14 09:24:44 MDT 2005 

Have you tried to tarpit those and run ssh on another port?

Dan

George Sexton wrote:

>I've gotten tired of looking at hundreds or thousands of probe attempts in
>my server logs lately. I was toying with the idea of writing a monitor app
>that would look at the server logs, and create a customer firewall rule that
>would block the IP after so many failed attempts.
>
>In an uncharacteristic flash, I decided to search the web for solutions.
>Here's an adaptation of what I found. It uses the "recent" module to create
>a firewall rule that will block any IP that attempts more than 3 new SSH
>sessions in a 3 minute period. I let it run last night, and I could see 3
>different probe attempts, and all 3 were blocked after 3 trys.
>
>I found a set of rules that Sean Ralfschneider had written, using the limit
>module. The problem with the limit module was that lockout was based on the
>entires service, and not the originating IP as the "recent" solution is.
>Anyhow, here are the firewall rules. Of course, the limit solution works on
>2.4 kernel, where it appears recent requires 2.6. I'd welcome any comments.
>
>
>iptables -F SSHRULES
>iptables -X SSHRULES
>iptables -N SSHRULES
>#
># If it's an already established session, let it continue.
>#
>iptables -A SSHRULES -m state --state ESTABLISHED,RELATED -j ACCEPT
>#
># If it's a new session, rate limit it by IP address using the RECENT
>module.
>#
>iptables -A SSHRULES -m state --state NEW -m recent --name SSHPROBES --set
>iptables -A SSHRULES -m state --state NEW -m recent --name SSHPROBES \
>        --update --seconds 180 --hitcount 4 -j DROP
>#
># If we got here, we are a new connection and not violating the rate limit.
>#
>iptables -A SSHRULES -j ACCEPT
>
>########################################################################
>#       END SSH RULES
>########################################################################
>
>
>iptables -A INPUT -i $WAN_IF -p tcp --dport ssh  -j SSHRULES
>
>
>
>George Sexton
>MH Software, Inc.
>http://www.mhsoftware.com/
>Voice: 303 438 9585
> 
>
>_______________________________________________
>Web Page:  http://lug.boulder.co.us
>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
>
>
>  
>

More information about the LUG mailing list