[Full-disclosure] SSH Bruteforce blocking script
Michael L Benjamin
mike.benjamin at clarinet.com.au
Mon Sep 5 04:50:54 BST 2005
I wasn't aware of this functionality in iptables. It doesn't offer the
kind of permanency or logging that
I might want, but it's a good suggestion nonetheless for other
From: full-disclosure-bounces at lists.grok.org.uk
[mailto:full-disclosure-bounces at lists.grok.org.uk] On Behalf Of miah
Sent: Friday, September 02, 2005 11:56 PM
To: full-disclosure at lists.grok.org.uk
Subject: Re: [Full-disclosure] SSH Bruteforce blocking script
If you're running iptables why not make use of hashlimit? Once a limit
is reached all connection attempts from that IP would be blocked until
the hash entry expires.
An example pulled from the web:
iptables -A INPUT -m hashlimit -m tcp -p tcp --dport 22 --hashlimit \
1/min --hashlimit-mode srcip --hashlimit-name ssh -m state \ --state NEW
Also, don't forget to man iptables or iptables -m hashlimit -h
On Fri, Sep 02, 2005 at 07:33:02PM +0800, Michael L Benjamin wrote:
> -----Original Message-----
> From: full-disclosure-bounces at lists.grok.org.uk
> [mailto:full-disclosure-bounces at lists.grok.org.uk] On Behalf Of Pedro
> Sent: Friday, 2 September 2005 05:53 PM
> To: full-disclosure at lists.grok.org.uk
> Subject: Re: [Full-disclosure] SSH Bruteforce blocking script
> >I don't want to debate the goodness or badness of the strategy of
> >blocking hosts like this in /etc/hosts.deny. It works perfectly for
> >me, and most likely would for you, so no religious debates thanks.
> >It's effective at blocking bruteforce attacks. If a host EXCEEDS a
> >specified number of guesses during the (configurable) 30 seconds it
> >takes the script to cycle, the host is blacklisted.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
Full-Disclosure is hosted and sponsored by Secunia.