[plug] hosts.deny over 6000 entries

William Kenworthy billk at iinet.net.au
Thu Oct 29 21:18:39 WST 2009


Hi Scott, good to hear from you.  There are a few things that may help,
but its ultimately going to depend on whether you need public ssh
access, or you are able to really lock it down and not be reactive to
scan attempts.

I had a similar homebrew setup some years ago, initially based on
portsentry but I found directly parsing log messages more flexible.  At
one point I had almost 10000 iptables rules (not just ssh).  I found
that ping times/performance started to drop measurably after 6000 rules
or so, but at around 10000 was still working.  This on a 1.4Ghz AMD
tbird.  Interestingly it was easy to DOS oneself when one of the kids
ran a filesharing application (that's how you get can trigger 10000
iptables rules :)  Not sure how this performance compares with
tcpwrappers but would likely be similar.

I then moved onto GEOIP, but while blocking China as a whole made a big
difference, it was ultimately futile requiring high maintenance as other
sources became more active.

These days I restrict ssh access to a few individual machines only - one
of which is a well managed server (not mine!) - at work that I have a
shell a/c on that is publicly accessible.  This gives me back door
access to my machines from the Internet if I move outside my normal
access locations - problem offloaded :).  This also quiets my logs as
there are no connect attempts as ssh is not visible.  Next time I decide
to travel, I will add portknocking to the mix along with moving ssh to a
non-standard port before loosening the rules.

You might also benefit from consolidating rules into ranges if thats
possible.

I was using ssh rate limiting in iptables for awhile which was
effective, but since moving to shorewall on publicly facing machines and
locking ssh via the firewall to particular hosts, I have not needed
it.  

Shutting off all external ssh access and using an openvpn tunnel or
perhaps a zebedee tunnel and ssh'ing through that would help - but you
need to have control over the local end as well for this.

Lastly, using keys instead of passwords might sidestep some of the
worry, though not the connect attempts.

In actual fact, I wasnt aware there was an increase in these scans
lately!  So the solution unfortunately, appears to be to hide!

BillK



On Thu, 2009-10-29 at 19:38 +0800, Scott Middleton wrote:
> Hi PLUGgers
> 
> I assume a lot of you know about the concerted worldwide attack of ssh
> over the last few weeks.
> 
> My hosts.deny on my colo is now over 6000 long.
> 
> My question is: at what point is the file getting too large?
> 
> I use portsentry and denyhosts to block attacks and it is working
> exceedingly well but there seems to be no end in sight. One night a
> few weeks ago there were over 700 in 12 hours! I still get several a
> day and  the last few days attacks have increased again.
> 
> I have had a total of three known Aussie IP addresses (with reverse
> DNS) and have contacted them promptly.
> 
> Kind Regards
> 
> --
> Scott Middleton
> Managing Director
> Linux Consultants Pty Ltd t/as AssureTek
> Email - Scott at assuretek.com.au
> Phone - 1300 551 696
> Mobile - 0400 212 724
> _______________________________________________
> PLUG discussion list: plug at plug.org.au
> http://www.plug.org.au/mailman/listinfo/plug
> Committee e-mail: committee at plug.linux.org.au
-- 
William Kenworthy <billk at iinet.net.au>
Home in Perth!




More information about the plug mailing list