Jump to content

Zypher

Members
  • Content Count

    1
  • Joined

  • Last visited

Community Reputation

0 Neutral

About Zypher

  • Rank
    Noob

Previous Fields

  • Distribution
    Redhat based, CentOS, Fedora
  1. Add this to the Rules and you have a great SSH Brute-force blocker # create properREJECT chain that does different rejects for tcp/udp iptables -N properREJECT iptables -A properREJECT -p tcp -j REJECT --reject-with tcp-reset iptables -A properREJECT -j REJECT --reject-with icmp-port-unreachable # iptables -N blacklistdrop iptables -A blacklistdrop -j LOG --log-prefix "adding to BLACKLIST: " iptables -A blacklistdrop -m recent --name BLACKLIST --set -j DROP # # # on external hosts, do rate limiting on incoming ssh packets, and keep a blacklist for 60 seconds # this rule drops *any* packet if the IP is in the blacklist # icmp 'destination-unreachable' packets should not update BLACKLIST, because # they are generated by our own REJECT rule in the extern_out chain iptables -A extern_in -m recent --name BLACKLIST --update --seconds 120 -j DROP # # all *established* ssh connections simply continue iptables -A extern_in -p tcp --dport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT # # *new* ssh connections are all put into a list 'sshconn', and if there are 4 such packets in 60 seconds # we send the package to chain 'blacklistdrop' which puts the IP in the blacklist iptables -A extern_in -p tcp --dport 22 -m state --state NEW -m recent --name sshconn --rcheck --seconds 60 --hitcount 5 -j blacklistdrop # # if we have seen less then 4 such packets in the last 60 seconds we accept iptables -A extern_in -p tcp --dport 22 -m state --state NEW -m recent --name sshconn --set -j ACCEPT # # if the destination address is in the blacklist, we REJECT *any* packet iptables -A extern_out -m recent --name BLACKLIST --rdest --rcheck --seconds 30 -j properREJECT # # outgoing we accept all ssh traffic, with connection tracking iptables -A extern_out -p tcp --sport 22 -m state --state ESTABLISHED,NEW,RELATED -j ACCEPT And edit /etc/syslog.conf with the following line to log firewall related stuf to a different file kern.* /var/log/firewall.log
×
×
  • Create New...