FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Development

 
 
LinkBack Thread Tools
 
Old 03-17-2010, 10:14 PM
Léon Keijser
 
Default your favourite method of dealing with ssh brute force attacks

On Wed, 2010-03-17 at 22:55 +0100, Michał Piotrowski wrote:
> I recetly had 30 hours of ssh brute force attack on my system. I'm
> using strong passwords, but still can be geneated from /dev/random, so
> I switched to rsa authentication. What's your favourite way to deal
> with such attacks? Please describe pros and cons.

off-topic, but here's a few: run ssh on a high, non-standard port,
implement a portknocker, only work with certificates (not passwords),
set PermitRootLogin to no in your sshd config, obfuscate your
username(s), etc.


Léon


--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 03-19-2010, 12:57 AM
"Dennis J."
 
Default your favourite method of dealing with ssh brute force attacks

On 03/17/2010 11:24 PM, Michał Piotrowski wrote:
> 2010/3/17 Eric Sandeen<sandeen@redhat.com>:
>> Michał Piotrowski wrote:
>>> Hi,
>>>
>>> I recetly had 30 hours of ssh brute force attack on my system. I'm
>>> using strong passwords, but still can be geneated from /dev/random, so
>>> I switched to rsa authentication. What's your favourite way to deal
>>> with such attacks? Please describe pros and cons.
>>>
>>> Regards,
>>> Michal
>>
>> Aside from not allowing password logins, I throttle them, they usually
>> get tired and go away to an easier target.
>>
>> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -m limit --limit 1/minute --limit-burst 2 -j ACCEPT
>
> If I understand correctly - this limits ssh connections to two
> connections per minute. I tried it before on my devel server without
> success. I tried it now with your configuration also without success.
>
> I used
> -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -m limit
> --limit 2/minute --limit-burst 2 -j ACCEPT
> and I still can connect to ssh as many times as I want.

This needs to be followed by:
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j DROP

That way as long as you stay within the limiting conditions you get
ACCEPTed by the first rule but if you make more ssh attempts the limit rule
no longer applies and you get DROPed instead.

Regards,
Dennis
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 

Thread Tools




All times are GMT. The time now is 02:14 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org