Results 1 to 2 of 2
i have been writing a script to stop a distributed password guesser that is trying to get into my server over ssh. the password guesser is comming in on different ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
- 11-15-2005 #1
- Join Date
- Nov 2005
getting iptables to firewall estabilished connections
i have been writing a script to stop a distributed password guesser that is trying to get into my server over ssh. the password guesser is comming in on different source IP addresses. each IP address attempts about 150 guesses.
i have managed to write a gawk script http://www.60hertz.com/monitorsecurelog.awk that counts the guesses in my /var/log/secure. the gawk script then calls a second script to add a 'drop' rule to my iptables firewall after 20 guesses. the script that adds the firewall rule is http://www.60hertz.com/firewallIp.bash.
my problem is that the script to firewall the attacking IP is updating my iptables rule set but the attacker is not dropped. it appears that the established connection allows the attacker to keep on holding open the connection to my sshd. i modified my firewallIP.bash script to stop and restart sshd after my rule had been applied but that still did not break the attackers connection.
does anyone know how I can terminate an established connection to sshd from an attacker so that my new firewall rule is effective immediately?
- 11-25-2005 #2
- Join Date
- Aug 2005
I had this problem. I solved it has follow:
$IPT -A BRUTEFORCE -p tcp --dport 22 -m limit --limit 1/m --limit-burst 2 -j RETURN $IPT -A BRUTEFORCE -p tcp --dport 22 -j LOG --log-level crit --log-prefix "IPT - Brute force attack: " $IPT -A BRUTEFORCE -p tcp --dport 22 -j DROP
Of course this can be a problem if you're handling a server with many ssh incoming connection!
I know about a solution with the RECENT iptables module, but I'm too lazy to investigate on it!!!When using Windows, have you ever told "Ehi... do your business?"
Linux user #396597 (http://counter.li.org)