RE: RE: Internet SSH scans

I've been successfully using the following suggestion for Debian:

http://www.debian-administration.org/articles/187

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent \
  --set

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent \
  --update --seconds 60 --hitcount 4 -j DROP



The two rules above will limit incoming connections to port 22 to no more than 
3 attempts in a minute - any more than that will be dropped.




> Daxomatic wrote:
> > Hi List,
> >
> > like anybody on the net i have these problems too, and was bored with
> > scrolling the endless logs.  So i decided to put an end to it. Here
> > is a (rather small but effective and a bit blunt )script to put a
> > stop to this annoying behaviour ;-p
> >
> > #!/bin/bash
> > tail -0f /var/adm/messages |while read line;
> >         do echo "$line"|awk '/Invalid user/ {printf ("block in quick
> > on bge1 proto tcp from %s to any port = 22 keep state\n",$NF)}' |ipf
> > -f -; done 
> >
> > as you all can see this is for a solaris 10 box (ipf) if you want to
> > make it work for linux you could do something like this this;
> >
> > tail -0f /var/log/messages |while read line; do echo $line|awk
> > '/Invalid user/{printf $NF}' |cut -b  8-|xargs -i iptables -A INPUT
> > -p tcp -m multiport --destination-ports 22 -s {} -j DROP; done
> >
> > I know there are better ways to script this but hey, its quick and it
> > works for me so perhaps its usefull for you guys/girls too :-)
> >
> >
> > Rgds
> > Dax Hoes
> >
> > On 3 Mar 2006 05:14:44 -0000, admin@chem.uw.edu.pl
> > <admin@chem.uw.edu.pl> wrote:
> > > I have many SSH scans in my large academic network. IMO
> > scanning hosts are Windows zombies.
> > > /p