Most servers that allow SSH over known ports get hammered from time to time as they are reveled by scans or simple misconfiguration.
The following how-to is stitched together from advice gleaned online.Count the number per day of failed SSH login attempts
For Ubuntu:
[Root@Box]#cat ./auth.log* | grep 'Failed password' | grep sshd | awk '{print $1,$2}' | sort | uniq -c [Root@Box]#grep "Failed" ./auth.log |awk '{print $NF}' | sort|uniq -c|sort -nr|head -n 25
For CentOS:
[Root@Box]#cat ./secure* | grep 'Failed password' | grep sshd | awk '{print $1,$2}' | sort | uniq -c [Root@Box]#grep "Failed" ./secure |awk '{print $NF}' | sort|uniq -c|sort -nr|head -n 25 | ||
Add rules to IPTABLES
[Root@Box]#iptables -I INPUT -p tcp --dport <YOUR PORT HERE> -i eth0 -m state --state NEW -m recent --set
[Root@Box]#iptables -I INPUT -p tcp --dport <YOUR PORT HERE> -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
The first line basically creates a rule that only applies to packets used for new connection attempts on the ssh port. The second line says that if there are more than 4 attempts from an IP within 60 seconds, then any traffic from that IP should be blackholed. This solution doesn't care whether or not the attempts on different user accounts.
|
No comments:
Post a Comment