[Ilugc] Re: Intruders cracked my Server
- From: sriram@xxxxxxxxxxxxx (sriram)
- Date: Sat Jun 21 12:50:42 2008
Raja Subramanian <rajasuperman@...> writes:
This can sometimes be restricting. I prefer to deploy sshblack
http://www.pettingers.org/code/sshblack.html to ban bad IPs.
you may not even need sshblack to do this type of blocking. modern versions of
iptables has built in capability to do this. for example, do
iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent \
--update --seconds 60 --hitcount 2 -j DROP
the key numbers are the seconds and hitcount. above will limit incoming ssh
connections to 3 per minute from any single source ip. usually the breakins will
try multiple userids and passwords - and after a couple of failures, the above
will cause connection requests to be dropped for the next minute. that is
usually sufficient to make the remote script think the machine is inaccesible
and move on to the next target. sshblack can do more, but this is usually
enough. one could increase the 60 - but this is short and in case of our own
inadvertent mistakes, this is short enough an interval to wait out. this type of
rule is in effect on this mailing list server for some months.
sriram
Other related posts:
