[gentoo-user] Re: SSH brute force attacks and blacklist.py

["Anno v. Heimburg" <anno@vonheimburg.de>]

Justin wrote:

> Try fail2ban

Alternatively, you can use the builtin iptables connection rate limiter.

Excerpt from my home-grown firewall script:

------------
for port in $INPUT_LIMITER_TCPPORTS; do
        $IPT_IN -p tcp  --dport $port -m state --state NEW -m \
recent --name "limit-${port}" --set
        $IPT_IN -p tcp  --dport $port -m state --state NEW -m \
recent --name "limit-${port}" --rcheck --seconds
$INPUT_LIMITER_TIME --hitcount $INPUT_LIMITER_COUNT -j \
LOG --log-prefix "limit-rjct-${port} "
        $IPT_IN -p tcp  --dport $port -m state --state NEW -m \
recent --name "limit-${port}" --rcheck --seconds
$INPUT_LIMITER_TIME --hitcount $INPUT_LIMITER_COUNT -j REJECT \
        $IPT_IN -p tcp  --dport $port -m state --state NEW -j
LOG --log-level notice --log-prefix "limit-acpt-${port} " \
        $IPT_IN -p tcp  --dport $port -m state --state NEW -j ACCEPT
done
----------------

It limits the number of new connections on each port in
INPUT_LIMITER_TCPPORTS from any individual host to INPUT_LIMITER_COUNT
within INPUT_LIMITER_TIME.

More precisely, it does the following:

1. When a new connection is established by a previously unkown host, set a
mark (first rule).
2. When the number of marks from that host has exceeded the specified upper
connection limit, reject the connection (third rule), you could also drop.
3. Otherwise, accept the connection (fifth rule)

Rules numbers 2 and 4 are for logging purposes only, and have no impact on
functionality. By using --log-prefix, you can use your logging daemon's
filtering capabilities to sort these requests into new 

The count is reset after INPUT_LIMITER_TIME seconds have passed. Thus, after
exceeding INPUT_LIMITER_COUNT, you have to wait for $INPUT_LIMITER_SECONDS
before a new attempt.

Oh yeah, $IPT_IN is shorthand for "${IPTABLES} -t filter -A INPUT", where
${IPTABLES} points to the iptables executable, of course.

The advantage of this solution is that it does not rely on log files parsing
or any other magic, it simply counts the number of connections from each
host on a specific port. It it does very easy on CPU and very stable, it
continues working as long as your kernel works.

The disadvantage is that it does not rely on log files parsing or any other
magic, it simply counts the number of connections from each host on a
specific port. It cannot do anything clever. Also, your iptables -L output
gets a bit cluttered by adding five rules for every port you want to
rate-limit.

Anno.

-- 
gentoo-user@lists.gentoo.org mailing list