I added these rules to IPTABLES to slow brute force attacks. iptables -A INPUT -p tcp --dport 22 -s my_subnet/24 -j ACCEPT iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 5 --rttl --name SSH -j DROP I would like log entries when connections are dropped to see that its working. How do I do that? I am guessing I would add this before the drop. iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 5 --rttl --name SSH -j LOG --log-prefix 'SSH attack: ' Is that right? Thanks. Matt
On Tue, August 19, 2008 09:33, Matt wrote:> > I would like log entries when connections are dropped to see that its > working. How do I do that? > > I am guessing I would add this before the drop. > > iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent > --update --seconds 60 --hitcount 5 --rttl --name SSH -j LOG > --log-prefix 'SSH attack: ' > > Is that right? Thanks.That's the right general approach; duplicate the drop rule but with a LOG target and appropriate logging parameters. -- David Dyer-Bennet, dd-b at dd-b.net; http://dd-b.net/ Snapshots: http://dd-b.net/dd-b/SnapshotAlbum/data/ Photos: http://dd-b.net/photography/gallery/ Dragaera: http://dragaera.info
On Tue, Aug 19, 2008 at 5:04 PM, Kenneth Porter <shiva at sewingwitch.com> wrote:> --On Tuesday, August 19, 2008 10:15 AM -0500 David Dyer-Bennet > <dd-b at dd-b.net> wrote: > >> That's the right general approach; duplicate the drop rule but with a LOG >> target and appropriate logging parameters. > > Another approach is to create a subchain that just logs and drops (no match > rules), and in your main chain you match on the desired packet and jump to > the subchain. That eliminates the need to maintain the same match in two > places, and reduces the number of rules a non-dropped packet has to pass > through. >Could you post a sample, using the OP's example as a base? Thanks. mhr
Matt (lm7812 at gmail.com) kirjoitteli (19.8.2008 17:33):> I added these rules to IPTABLES to slow brute force attacks. > > iptables -A INPUT -p tcp --dport 22 -s my_subnet/24 -j ACCEPT > iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent > --set --name SSH > iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent > --update --seconds 60 --hitcount 5 --rttl --name SSH -j DROPHi, I use fail2ban to prevent brute force attacks. Much simpler. :-) Fail2ban keeps up blacklists of ip:s that have failed authentication too many times. What is "too many", and the duration of blacklisting can be configured easily in /etc/fail2ban.conf. I think I installed fail2ban simply using yum. Maybe it was in dag or rpmforce, don't remember exactly now. - Jussi -- Jussi Hirvi * Green Spot Topeliuksenkatu 15 C * 00250 Helsinki * Finland Tel. & fax +358 9 493 981 * Mobile +358 40 771 2098 (only sms) jussi.hirvi at greenspot.fi * http://www.greenspot.fi
> I added these rules to IPTABLES to slow brute force attacks. > > iptables -A INPUT -p tcp --dport 22 -s my_subnet/24 -j ACCEPT > iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent > --set --name SSH > iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent > --update --seconds 60 --hitcount 5 --rttl --name SSH -j DROP > > I would like log entries when connections are dropped to see that its > working. How do I do that? > > I am guessing I would add this before the drop. > > iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent > --update --seconds 60 --hitcount 5 --rttl --name SSH -j LOG > --log-prefix 'SSH attack: 'That seems to have worked. Another quick question. Would it be better to TARPIT rather then DROP the packets? Matt