root:~# cat /etc/iptables-custom-rules
#
# SSH FLOOD PROTECTION
#
# create our new limiting chain where we can send everything to be limited.
$IPTABLES -N mylimit
# demand 60 minutes of silence from a host that has been flagged as flooding.
$IPTABLES -A mylimit -m recent --update --seconds 3600 -j DROP
# if the host is not flagged for flooding, and has not started to flood in the last minute,
# bounce their connection back where it came from for further rule matching.
$IPTABLES -A mylimit -m limit --limit 2/m --limit-burst 3 -j RETURN
# They have started to flood, drop their ass and flag them.
$IPTABLES -A mylimit -m recent --set -j DROP
# shunt NEW ssh connections over to MyLimit to be limited
$IPTABLES -A INPUT -i $EXT_IF -p tcp --dport ssh -m state --state NEW -j mylimit
root:~# cat /var/log/messages|grep "Failed password"
Jan 29 12:27:11 www sshd[27507]: Failed password for invalid user root from 24.57.37.45 port 37525 ssh2
Jan 29 12:27:13 www sshd[27510]: Failed password for invalid user test from 24.57.37.45 port 37613 ssh2
Jan 29 12:27:14 www sshd[27513]: Failed password for invalid user test from 24.57.37.45 port 37662 ssh2
Jan 29 22:51:56 www sshd[28750]: Failed password for invalid user deutch from 66.163.1.130 port 45877 ssh2
Jan 29 22:51:59 www sshd[28753]: Failed password for invalid user german from 66.163.1.130 port 46037 ssh2
Jan 29 22:52:03 www sshd[28756]: Failed password for invalid user hitler from 66.163.1.130 port 46209 ssh2
Jan 30 08:32:01 www sshd[29576]: Failed password for invalid user charlotte from 219.135.191.21 port 40993 ssh2
Jan 30 08:32:05 www sshd[29579]: Failed password for invalid user charlotte from 219.135.191.21 port 41159 ssh2
Jan 30 08:32:09 www sshd[29582]: Failed password for invalid user charlotte from 219.135.191.21 port 41388 ssh2
Jan 30 12:02:25 www sshd[29875]: Failed password for invalid user root from 218.249.222.135 port 7564 ssh2
Jan 30 12:02:29 www sshd[29878]: Failed password for invalid user admin from 218.249.222.135 port 7636 ssh2
Jan 30 12:02:33 www sshd[29881]: Failed password for invalid user test from 218.249.222.135 port 7700 ssh2
#
root:~# groupadd ssh
root:~# gpasswd -a anders,truls,stine,geir ssh
AllowGroups ssh
Men jeg forstår ikke helt hvordan dette vikre (ikke guru på IPTables, men ønsker å lære)nc skrev:Dette er Anti SSH-Flooding scriptet som fungerer sammen med Arno's iptables brannmur:
- Kode: Merk alt
root:~# cat /etc/iptables-custom-rules
#
# SSH FLOOD PROTECTION
#
# create our new limiting chain where we can send everything to be limited.
$IPTABLES -N mylimit
# demand 60 minutes of silence from a host that has been flagged as flooding.
$IPTABLES -A mylimit -m recent --update --seconds 3600 -j DROP
# if the host is not flagged for flooding, and has not started to flood in the last minute,
# bounce their connection back where it came from for further rule matching.
$IPTABLES -A mylimit -m limit --limit 2/m --limit-burst 3 -j RETURN
# They have started to flood, drop their ass and flag them.
$IPTABLES -A mylimit -m recent --set -j DROP
# shunt NEW ssh connections over to MyLimit to be limited
$IPTABLES -A INPUT -i $EXT_IF -p tcp --dport ssh -m state --state NEW -j mylimit
Dette fungerer ved at hvis noen prøver feiler i å logge seg på 3 ganger i løpet av en kort periode (2min..?) så blir de sperret ute i 1 time (3600 sekunder).
$IPTABLES -N mylimit
$IPTABLES -A mylimit -m recent --update --seconds 3600 -j DROP
$IPTABLES -A mylimit -m limit --limit 2/m --limit-burst 3 -j RETURN
$IPTABLES -A mylimit -m recent --set -j DROP
$IPTABLES -A INPUT -i $EXT_IF -p tcp --dport ssh -m state --state NEW -j mylimit
root:~# cat /etc/iptables-custom-rules
#
# SSH FLOOD PROTECTION
#
# create our new limiting chain where we can send everything to be limited.
$IPTABLES -N mylimit
# demand 60 minutes of silence from a host that has been flagged as flooding.
$IPTABLES -A mylimit -m recent --update --seconds 3600 -j DROP
# if the host is not flagged for flooding, and has not started to flood in the last minute,
# bounce their connection back where it came from for further rule matching.
$IPTABLES -A mylimit -m limit --limit 2/m --limit-burst 3 -j RETURN
# They have started to flood, drop their ass and flag them.
$IPTABLES -A mylimit -m recent --set -j DROP
# shunt NEW ssh connections over to MyLimit to be limited
$IPTABLES -A INPUT -i $EXT_IF -p tcp --dport ssh -m state --state NEW -j mylimit
$IPTABLES -A mylimit -m recent --update --seconds 3600 -j DROP
$IPTABLES -A mylimit -m limit --limit 2/m --limit-burst 3 -j RETURN
$IPTABLES -A mylimit -m recent --set -j DROP
$IPTABLES -A INPUT -i $EXT_IF -p tcp --dport ssh -m state --state NEW -j mylimit
Returner til Tips og triks / Favoritter
Registrerte brukere: Google [Bot]