[RLUG] Sunday afternoon fun
Joshua Simpson
std3rr at gmail.com
Mon Nov 6 10:16:31 PST 2006
On 11/6/06, Grant Kelly <gkelly at gmail.com> wrote:
>
>
> Once I noticed the attempts were happening, to block any traffic from
> them to me, I added the ip address to /etc/hosts.deny, or:
>
> `echo "ALL:ip.add.re.ss" >> /etc/hosts.deny`
Trying to blacklist every IP who attempts automated ssh brute force logins
is an exercise in futility.
Just whitelist all IPs you and trusted others will be connecting from.
If you habitually connect from unknown remote IPs, you can always go the fun
route and hack up a primitive iptables based port knocking implementation.
Like so:
/sbin/iptables -N GO-LEVEL2
/sbin/iptables -A GO-LEVEL2 -m recent --name LEVEL1 --remove
/sbin/iptables -A GO-LEVEL2 -m recent --name LEVEL2 --set
/sbin/iptables -N GO-LEVEL3
/sbin/iptables -A GO-LEVEL3 -m recent --name LEVEL2 --remove
/sbin/iptables -A GO-LEVEL3 -m recent --name LEVEL3 --set
/sbin/iptables -A INPUT -m recent --update --name LEVEL1
/sbin/iptables -A INPUT -p tcp --dport 101 -m recent --set --name LEVEL1
/sbin/iptables -A INPUT -p tcp --dport 201 -m recent --rcheck --name LEVEL1
-j GO-LEVEL2
/sbin/iptables -A INPUT -p tcp --dport 301 -m recent --rcheck --name LEVEL2
-j GO-LEVEL3
/sbin/iptables -A INPUT -p tcp --dport 22 -m recent --rcheck --seconds 10
--name LEVEL3 -j ACCEPT
Connect to port 101, 201, 301 with telnet with a strung together command
(telnet <ip> 101; telnet <ip> 201; telnet <ip> 301; ssh <ip>), and it'll
open ssh for 10 seconds. You can play around with this, switching tcp
connects to ICMP, etc. You might want to implement the LOG target after
each LEVEL as well.
If you have any problems, let me know. Cheers.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.rlug.org/pipermail/rlug/attachments/20061106/22b8beb6/attachment.html
More information about the RLUG
mailing list