--------- Mensagem Original --------
De: Dominic Caputo <jec6jec6@gmail.com>
Para: netfilter@lists.netfilter.org <netfilter@lists.netfilter.org>
Asunto: SSHBrute Force: False Postives
Fecha: 01/02/07 02:30
>
> I have been reading up on iptables and i am by no means an expert but i
have
> a problem with SSH brute force attacks on port 22. I am currently using
the
> config below to minimise these threats but i am constantly getting false
> positives (logs actually say that my connection has been flagged as a
brute
> force connection even on the on the first attempt-but then on others it
> connects first time with no problems)
>
> #SSH Brute-Force Scan Check
> $IPTABLES -N SSH_Brute_Force
> $IPTABLES -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name
> SSH --set --rsource -j SSH_Brute_Force
> $IPTABLES -A SSH_Brute_Force -m recent ! --rcheck --seconds 60 --hitcount
> 4 --name SSH --rsource -j ACCEPT
> $IPTABLES -A SSH_Brute_Force -j LOG --log-level info --log-prefix
"SSH Brute
> Force Attempt: "
> $IPTABLES -A SSH_Brute_Force -p tcp -j DROP
>
> Any help with this problem would be great
>
> Dominic
>
.... you can start changing the ssh port from 22 to xxx... this doesnt solve
your problem, but this mesure minimize this kind of attack like a 70%
________________________________________________
linux.pctools.cl
|