[aklug] Re: Iptables: Automatic Blacklisting

From: J D <donovanj@gmail.com>
Date: Thu Dec 23 2010 - 10:28:59 AKST

On Tue, Dec 21, 2010 at 2:53 AM, Christopher Howard
<cmhoward@frigidcode.com> wrote:
> As a naive iptables user, I was wondering what you guys thought of this:
>
> http://thiemonagel.de/2006/02/preventing-brute-force-attacks-using-iptables-recent-matching/
>
> I've been getting a lot of attacks lately of the kind described in the article: the attacker will try SSH'ing into 40 or 50 different common user names, and then a few seconds later he will try again from another host.

I've been doing a number of limits on common ports for years now.

The most commonly abused is ssh.
So I have setup limits of:

ssh 1 per minute with an initial burst of 5.

I can see in my logs that before I turned this on I'd get 100's from a
single IP, and there would be lots of hosts trying.
Now that I've got it set to the above. I see 1-3 hosts a day try, and
usually hours apart.

I've had zero complaints from legitimate users.

-J
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Thu Dec 23 10:29:29 2010

This archive was generated by hypermail 2.1.8 : Thu Dec 23 2010 - 10:29:29 AKST