You can also use iptables for rate limiting, ala adding the following to
your existing iptables configuration:
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ALLOWED
:ALLOWED - [0:0]
-A ALLOWED -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A ALLOWED -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 3/min
--limit-burst 3 -j ACCEPT
-A ALLOWED -p tcp -j LOG --log-prefix " DROP RATE_LIMIT " --log-tcp-options
--log-ip-options
-A ALLOWED -p tcp -j REJECT --reject-with icmp-port-unreachable
That limits the bad connections to 3 per minute, and you don't have to
worry about DOSing yourself.
On Wed, 29 Mar 2006, Matt P wrote:
You can also Wrap sshd within xinetd
service ssh
{
flags = REUSE
socket_type = stream
wait = no
user = root
protocol = tcp
server = /usr/sbin/sshd
server_args = -i
log_type = FILE /var/log/sshdlog
log_on_success = HOST PID DURATION EXIT
log_on_failure = HOST ATTEMPT
disable = no
}
Shutdown sshd itself and bounce xinetd. then the hosts.allow and/or
hosts.deny work.
On 3/28/06, Joseph Spenner <joseph85750@yahoo.com> wrote:
--- "Zembower, Kevin" <kzembowe@jhuccp.org> wrote:
What's the current advice on dealing with scripts
that repeatedly try to
log onto SSH using a list of common usernames and
'password' for the
password? I get up to 4,000 of these a day from a
single server. In
searching Google on this, I've learned of techniques
using PAM and
firewall rules that are created dynamically in
response to log-in
attempts.
I've seen systems where an entry is made in
/etc/hosts.allow for sshd: for the offending IP if too
many attempts are detected. But in order for this to
work, your sshd must be compiled with tcp_wrappers
support.
I see this sort of attack a lot, and if the attacking
script hits a tcp wrapped ssh, it will stop
immediately. After a few minutes/hours, the entry can
be removed from hosts.allow (or not).
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
