[plug] ssh scans

[Stuart Midgley]

rules like these can also assist

-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 -m state --state NEW - 
m recent --set --name SSH --rsource
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 -m state --state NEW - 
j SSH_WHITELIST
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 -m state --state NEW - 
m recent --update --seconds 60 --hitcount 5 --rttl --name SSH -- 
rsource -j LOG --log-prefix "SSH_brute_force"
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 -m state --state NEW - 
m recent --update --seconds 60 --hitcount 5 --rttl --name SSH -- 
rsource -j DROP

which only accept 5 connections in 60s to port 22... if it gets more  
than that, it drops the packets.  Doesn't work with old versions of  
iptables.

Stu.



On 11/09/2006, at 9:34, Shannon Carver wrote:

> Interesting!  Jason's IPB Monitor sounds like a good all-in-one  
> package,
> might give it a go tonight for my home Machine.
>
> I'm lucky in my current position, that most of the boxes I  
> administer, I do
> so on my own, so I can limit SSH connections to a set of IP's where  
> I'll be
> connecting from, or in the case that other users do need SSH access  
> to the
> system they're usually only connecting from Work connections anyway  
> (static
> IPs), VPN etc.
>
> Thanks for the IPB monitor link!


--
Dr Stuart Midgley
Industry Uptake Program Leader
iVEC, 'The hub of advanced computing in Western Australia'
26 Dick Perry Avenue, Technology Park
Kensington WA 6151
Australia

Phone: +61 8 6436 8545
Fax: +61 8 6436 8555
Email: industry at ivec.org
WWW:  http://www.ivec.org