[lug] iptables help

Paul Nowosielski paulnowosielski at yahoo.com
Sun Feb 20 11:34:38 MST 2011


Thanks, I'll look into this!

On 02/16/2011 06:35 PM, Ben Luey wrote:
> Have you tried denyhosts? It looks at the logs for unsuccessful ssh
> login attempts and blacklists the ip for a certain amount of time.
>
> http://denyhosts.sourceforge.net/
>
>
>
> On Tue, 2011-02-15 at 15:19 -0800, Paul Nowosielski wrote:
>   
>> Dear All,
>>
>> I have a iptables script that helps to stop
>> brute force ssh attacks.
>>
>> The rules are supposed to drop
>> the IP for 180 seconds if they make more then 3 unsuccessful
>> login attempts via ssh.
>>
>> But it blocks an rsync via ssh process after 3 successful logins from $CRM_CA.  
>> The script needs to run perpetually but
>> is being dropped.
>>
>>
>> Here is the meaningful snippet.
>>
>> # allow ssh
>>
>> iptables -A INPUT -p tcp -s 0/0 -d $SERVER_IP --sport 513:65535 --dport 22 -m 
>> state --state NEW,ESTABLISHED -j ACCEPT
>> iptables -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 --sport 22 --dport 513:65535 -m 
>> state --state ESTABLISHED -j ACCEPT
>>
>> # always allow from CA systems
>>
>> iptables -A INPUT -j ACCEPT -p all -s $CRM_CA
>> iptables -A OUTPUT  -j ACCEPT -p all -d $CRM_CA
>>
>> # slow down brute force
>>
>> iptables -I INPUT  -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set 
>> --name DEFAULT --rsource
>> iptables -I INPUT  -p tcp -m tcp --dport 22 -m state --state NEW -m recent 
>> --update --seconds 180 --hitcount 3 --name DEFAULT --rsource -j DROP
>>
>>
>> I really don't want to remove the logic to drop an IP after 3 login attempts 
>> because it work so well.
>> Does anyone see a simple solution to my problem?
>>
>> Thank you,
>>
>> Paul
>>
>>
>>
>> _______________________________________________
>> Web Page:  http://lug.boulder.co.us
>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
>>
>>     
>   



More information about the LUG mailing list