From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1JUU04-0004UO-2c for garchives@archives.gentoo.org; Wed, 27 Feb 2008 21:39:40 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 5E8CBE02AC; Wed, 27 Feb 2008 21:39:38 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 13493E02AC for ; Wed, 27 Feb 2008 21:39:38 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp.gentoo.org (Postfix) with ESMTP id 87775BC3EF for ; Wed, 27 Feb 2008 21:39:37 +0000 (UTC) X-Virus-Scanned: amavisd-new at gentoo.org X-Spam-Score: -1.438 X-Spam-Level: X-Spam-Status: No, score=-1.438 required=5.5 tests=[AWL=1.161, BAYES_00=-2.599] Received: from smtp.gentoo.org ([127.0.0.1]) by localhost (smtp.gentoo.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d2rDI1p6s1KS for ; Wed, 27 Feb 2008 21:39:28 +0000 (UTC) Received: from ciao.gmane.org (main.gmane.org [80.91.229.2]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTP id EE176BC0EC for ; Wed, 27 Feb 2008 21:39:27 +0000 (UTC) Received: from list by ciao.gmane.org with local (Exim 4.43) id 1JUTzm-0002K0-72 for gentoo-user@gentoo.org; Wed, 27 Feb 2008 21:39:22 +0000 Received: from p5b2dd137.dip.t-dialin.net ([91.45.209.55]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Wed, 27 Feb 2008 21:39:22 +0000 Received: from anno by p5b2dd137.dip.t-dialin.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Wed, 27 Feb 2008 21:39:22 +0000 X-Injected-Via-Gmane: http://gmane.org/ To: gentoo-user@lists.gentoo.org From: "Anno v. Heimburg" Subject: [gentoo-user] Re: SSH brute force attacks and blacklist.py Date: Wed, 27 Feb 2008 22:39:15 +0100 Message-ID: References: <47C5A316.8010303@shic.co.uk> <47C5B4F9.9060701@j-schmitz.net> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7Bit X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: p5b2dd137.dip.t-dialin.net User-Agent: KNode/0.10.5 Sender: news X-Archives-Salt: 06008259-ff60-4ebb-a3c4-6a909c63291c X-Archives-Hash: 4c481558abdc054fbc7f9ad0d9c48602 Justin wrote: > Try fail2ban Alternatively, you can use the builtin iptables connection rate limiter. Excerpt from my home-grown firewall script: ------------ for port in $INPUT_LIMITER_TCPPORTS; do $IPT_IN -p tcp --dport $port -m state --state NEW -m \ recent --name "limit-${port}" --set $IPT_IN -p tcp --dport $port -m state --state NEW -m \ recent --name "limit-${port}" --rcheck --seconds $INPUT_LIMITER_TIME --hitcount $INPUT_LIMITER_COUNT -j \ LOG --log-prefix "limit-rjct-${port} " $IPT_IN -p tcp --dport $port -m state --state NEW -m \ recent --name "limit-${port}" --rcheck --seconds $INPUT_LIMITER_TIME --hitcount $INPUT_LIMITER_COUNT -j REJECT \ $IPT_IN -p tcp --dport $port -m state --state NEW -j LOG --log-level notice --log-prefix "limit-acpt-${port} " \ $IPT_IN -p tcp --dport $port -m state --state NEW -j ACCEPT done ---------------- It limits the number of new connections on each port in INPUT_LIMITER_TCPPORTS from any individual host to INPUT_LIMITER_COUNT within INPUT_LIMITER_TIME. More precisely, it does the following: 1. When a new connection is established by a previously unkown host, set a mark (first rule). 2. When the number of marks from that host has exceeded the specified upper connection limit, reject the connection (third rule), you could also drop. 3. Otherwise, accept the connection (fifth rule) Rules numbers 2 and 4 are for logging purposes only, and have no impact on functionality. By using --log-prefix, you can use your logging daemon's filtering capabilities to sort these requests into new The count is reset after INPUT_LIMITER_TIME seconds have passed. Thus, after exceeding INPUT_LIMITER_COUNT, you have to wait for $INPUT_LIMITER_SECONDS before a new attempt. Oh yeah, $IPT_IN is shorthand for "${IPTABLES} -t filter -A INPUT", where ${IPTABLES} points to the iptables executable, of course. The advantage of this solution is that it does not rely on log files parsing or any other magic, it simply counts the number of connections from each host on a specific port. It it does very easy on CPU and very stable, it continues working as long as your kernel works. The disadvantage is that it does not rely on log files parsing or any other magic, it simply counts the number of connections from each host on a specific port. It cannot do anything clever. Also, your iptables -L output gets a bit cluttered by adding five rules for every port you want to rate-limit. Anno. -- gentoo-user@lists.gentoo.org mailing list