[lug] DOS ssh attacks

George Sexton gsexton at mhsoftware.com
Sat Jan 10 09:27:04 MST 2009 

Here are some fragments from my IPTables scripts. They limit the number 
of bad login attempts permitted and then insert a lockout rule.

ALLOW_SSH_HOSTS="importanthost.mydomain.com"


########################################################################
#       SSH RULES
########################################################################

iptables -F SSHRULES
iptables -X SSHRULES
iptables -N SSHRULES

#
# If it's an already established session, let it continue.
#
iptables -A SSHRULES -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# If it's a new session, rate limit it by IP address using the
# RECENT module.
#
if [ ! -z "$ALLOW_SSH_HOSTS" ]; then
  for THISHOST in $ALLOW_SSH_HOSTS; do
    THISIP=`host $THISHOST | cut -f 4 -d " "`
    iptables -A SSHRULES -m state --state NEW --source $THISIP -j ACCEPT
   done
fi

iptables -A SSHRULES -m state --state NEW -m recent --name SSHPROBES \
	--set
iptables -A SSHRULES -m state --state NEW -m recent --name SSHPROBES \
         --update --seconds 180 --hitcount 6 -j LOGDROP
#
# If we got here, we are a new connection and not violating the
# rate limit.
#
iptables -A SSHRULES -j ACCEPT

########################################################################
#       END SSH RULES
########################################################################

iptables -A INPUT -i $WAN_IF -p tcp --dport ssh  -j SSHRULES



Rob Nagler wrote:
> We've been under heavy attack the last 24 hours. The only annoyance is
> that all the ssh connections are sucked up for a period of time so we
> can't get in via certain machines public interfaces.  Blocking the
> addresses in iptables fixes the problem.
> 
> This seems to be localized to our ViaWest hosts.  Our FRII rack is
> always available.
> 
> Is anybody else experience this type of attack (see log entries
> appended) right now?
> 
> Another question is: any tricks we can use to slow down requests to
> ssh so we don't get locked out?
> 
> Thanks,
> Rob
> 
> ----------------------------------------------------------------
> Jan 10 08:53:37 host1 sshd(pam_unix)[28289]: check pass; user unknown
> Jan 10 08:53:37 host1 sshd(pam_unix)[28289]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=217.219.159.13 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug

-- 
George Sexton
MH Software, Inc.
Voice: +1 303 438 9585
URL:   http://www.mhsoftware.com/

More information about the LUG mailing list