[lug] iptables help
Ben Luey
bluey at iguanaworks.net
Wed Feb 16 18:35:45 MST 2011
Have you tried denyhosts? It looks at the logs for unsuccessful ssh
login attempts and blacklists the ip for a certain amount of time.
http://denyhosts.sourceforge.net/
On Tue, 2011-02-15 at 15:19 -0800, Paul Nowosielski wrote:
> Dear All,
>
> I have a iptables script that helps to stop
> brute force ssh attacks.
>
> The rules are supposed to drop
> the IP for 180 seconds if they make more then 3 unsuccessful
> login attempts via ssh.
>
> But it blocks an rsync via ssh process after 3 successful logins from $CRM_CA.
> The script needs to run perpetually but
> is being dropped.
>
>
> Here is the meaningful snippet.
>
> # allow ssh
>
> iptables -A INPUT -p tcp -s 0/0 -d $SERVER_IP --sport 513:65535 --dport 22 -m
> state --state NEW,ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 --sport 22 --dport 513:65535 -m
> state --state ESTABLISHED -j ACCEPT
>
> # always allow from CA systems
>
> iptables -A INPUT -j ACCEPT -p all -s $CRM_CA
> iptables -A OUTPUT -j ACCEPT -p all -d $CRM_CA
>
> # slow down brute force
>
> iptables -I INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set
> --name DEFAULT --rsource
> iptables -I INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent
> --update --seconds 180 --hitcount 3 --name DEFAULT --rsource -j DROP
>
>
> I really don't want to remove the logic to drop an IP after 3 login attempts
> because it work so well.
> Does anyone see a simple solution to my problem?
>
> Thank you,
>
> Paul
>
>
>
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
>
--
Ben Luey
bluey at iguanaworks.net
http://iguanaworks.net
More information about the LUG
mailing list