From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-security+bounces-272-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1RKiyT-00052K-7g
	for garchives@archives.gentoo.org; Mon, 31 Oct 2011 03:55:49 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 0289521C040
	for <garchives@archives.gentoo.org>; Mon, 31 Oct 2011 03:55:48 +0000 (UTC)
Received: from scout.glines.com (scout.glines.com [69.9.187.110])
	by robin.gentoo.org (8.13.5/8.13.5) with ESMTP id j92LGP7F019603
	for <gentoo-security@lists.gentoo.org>; Sun, 2 Oct 2005 21:16:25 GMT
Received: (qmail 31581 invoked by uid 89); 2 Oct 2005 21:32:30 -0000
Received: from unknown (HELO SPRITE) (tad@glines.com@10.8.0.2)
  by scout.glines.com with (RC4-MD5 encrypted) SMTP; 2 Oct 2005 21:32:30 -0000
From: "Tad Glines" <tad@glines.com>
To: <gentoo-security@lists.gentoo.org>
Subject: RE: [gentoo-security] [OT?] automatically firewalling off IPs
Date: Sun, 2 Oct 2005 14:24:23 -0700
Message-ID: <000001c5c797$aa732870$0200080a@SPRITE>
Precedence: bulk
List-Post: <mailto:gentoo-security@lists.gentoo.org>
List-Help: <mailto:gentoo-security+help@gentoo.org>
List-Unsubscribe: <mailto:gentoo-security+unsubscribe@gentoo.org>
List-Subscribe: <mailto:gentoo-security+subscribe@gentoo.org>
List-Id: Gentoo Linux mail <gentoo-security.gentoo.org>
X-BeenThere: gentoo-security@gentoo.org
Reply-to: gentoo-security@lists.gentoo.org
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.6626
Importance: Normal
In-Reply-To: <43404CB8.3@lunatic.net.nz>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527
X-Archives-Salt: 2b27a130-5381-460d-b2b7-0d5a1fd09fab
X-Archives-Hash: 4248633f29eda8c08e8cca819ade22ab

> Jeremy Brake wrote:
> 
> I'm looking for an app/script which can monitor for failed ssh logins,
> and block using IPTables for $time after $number of failed logins (an
> exclusion list would be handy as well) so that I can put a quick stop to
> these niggly brute-force ssh "attacks" I seem to be getting more and
> more often.

These are the rules that I'm using.

# Track connections to SSH
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --tcp-flags FIN,ACK
FIN,ACK \
   --dport 22 -m recent --name SSH --set
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --tcp-flags RST RST \
   --dport 22 -m recent --name SSH --set

# Drop if connection rate exceeds 4/minute
-A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
   --rcheck --seconds 60 --hitcount 4 -m limit -j LOG --log-prefix
"SSH_limit: "
-A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
   --rcheck --seconds 60 --hitcount 4 -j DROP

# Drop if connection rate exceeds 20/hour
-A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
   --rcheck --seconds 3600 --hitcount 20 -m limit -j LOG --log-prefix
"SSH_limit: "
-A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
   --rcheck --seconds 3600 --hitcount 20 -j DROP

-Tad

-- 
gentoo-security@gentoo.org mailing list