[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Detecting Brute-Force and Dictionary attacks



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


The Wednesday 2006-11-01 at 03:58 -0700, Wilson Mattos wrote:

> You can definitely accomplish what you want with iptables.  You have the 
> right concept on how to do it, but your rules are not quite right.
> 
> Try this (and make sure that if you have other rules that these show up 
> first, otherwise other rules you might have in the INPUT chain might be 
> allowing the packets and iptables never gets to these rules):
> 
> iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH
> 
> iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --rcheck --seconds 60 --hitcount 4 --name SSH --rsource -j LOG --log-prefix "SSH_brute_force "
> 
> iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --rcheck --seconds 60 --hitcount 4 --name SSH -j DROP
> 
> iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT

That appears to be similar to what Bjorn Tore Sund posted here a year ago 
(<http://lists.suse.com/archive/suse-security/2005-Dec/0069.html>), as a 
set of rules to be included in 
"/etc/sysconfig/scripts/SuSEfirewall2-custom". I have them in 
fw_custom_before_antispoofing() - although I don't know if that is the 
best place:

{
iptables -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set

iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 60 --hitcount 6 -j LOG --log-prefix 'SSH attack: '

iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 60 --hitcount 6 -j REJECT

true

}

But what you propose, specially the second one, is more elaborate and 
interesting, and your explanation is enlightening. Could it be included 
in SuSEfirewall scripts somewhere?

- -- 
Cheers,
       Carlos E. R.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Made with pgp4pine 1.76

iD8DBQFFShhPtTMYHG2NR9URAu11AJ9dkgFVPG9pBdFquv9Mq8+gw1DTiwCeO6E+
zubmCm0t2oJIrgvAPl02p4s=
=1gXJ
-----END PGP SIGNATURE-----


-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here