15 Feb
2009
15 Feb
'09
12:35 a.m.
Fernando Lopez-Lezcano wrote:
Another option is a service called denyhosts, it adds
entries
to /etc/hosts.deny for each host from which a defined number of failed
logins happen. So the attacking hosts are dropped out as they try
passwords and hopefully fail...
While effective, this can result in a DoS against your machine.
However, I do something similar with the firewall. I found a good firewall
script here:
http://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-services.en.h
tml#s-firewall-setup
And I added this rule:
#
# This is to limit all those ssh bots
#
/sbin/iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW
-m recent --update --seconds 60 --hitcount 4 --name DEFAULT --rsource -j DROP
/sbin/iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW
-m recent --set --name DEFAULT --rsource
Which temporarily ignores traffic from a host if they hit my SSH port 4 times in
60 seconds.
However, in the past few months, the scripts that are attacking the ssh ports
have taken on a distributed attack vector that is able to circumvent this
firewall rule.
HTH,
Gabriel