Find the answer to your Linux question:
Results 1 to 2 of 2
i have been writing a script to stop a distributed password guesser that is trying to get into my server over ssh. the password guesser is comming in on different ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Nov 2005
    Posts
    1

    getting iptables to firewall estabilished connections


    i have been writing a script to stop a distributed password guesser that is trying to get into my server over ssh. the password guesser is comming in on different source IP addresses. each IP address attempts about 150 guesses.

    i have managed to write a gawk script http://www.60hertz.com/monitorsecurelog.awk that counts the guesses in my /var/log/secure. the gawk script then calls a second script to add a 'drop' rule to my iptables firewall after 20 guesses. the script that adds the firewall rule is http://www.60hertz.com/firewallIp.bash.

    my problem is that the script to firewall the attacking IP is updating my iptables rule set but the attacker is not dropped. it appears that the established connection allows the attacker to keep on holding open the connection to my sshd. i modified my firewallIP.bash script to stop and restart sshd after my rule had been applied but that still did not break the attackers connection.

    does anyone know how I can terminate an established connection to sshd from an attacker so that my new firewall rule is effective immediately?

    thx!

    simbo

  2. #2
    Linux User
    Join Date
    Aug 2005
    Location
    Italy
    Posts
    401

    My solution

    I had this problem. I solved it has follow:

    Code:
    $IPT -A BRUTEFORCE -p tcp --dport 22 -m limit --limit 1/m --limit-burst 2 -j RETURN
    $IPT -A BRUTEFORCE -p tcp --dport 22 -j LOG --log-level crit --log-prefix "IPT - Brute force attack: "
    $IPT -A BRUTEFORCE -p tcp --dport 22 -j DROP
    These IpTables rules permits 3 connections each minute. If this limit it's reached, il logs and drop all packets on the ssh port. Normally password guesser will stops because you don't respond, and try another IP...

    Of course this can be a problem if you're handling a server with many ssh incoming connection!

    I know about a solution with the RECENT iptables module, but I'm too lazy to investigate on it!!!
    When using Windows, have you ever told "Ehi... do your business?"
    Linux user #396597 (http://counter.li.org)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •