debian/rules
   
Thu, 06 Apr 2006

A solution for blocking ssh probers/scanners.

Erich, There's a much easier solution to blocking those ssh scanning bastards... some nice friendly iptables rules! (I forward ssh to an internal system, so this is in the FORWARD chain.. use the INPUT chain otherwise)

### Catch SSH probes
iptables -A FORWARD -p tcp --dport 22 -d <local net> -o eth0 -s 0/0 -i ppp0
         -m state --state NEW
         -m recent --rcheck --hitcount 3 --seconds 60 --name SSH_PROBERS
         -j LOG --log-prefix "Adaptive-FW SSH Prober: "

iptables -A FORWARD -p tcp --dport 22 -d <local net> -o eth0 -s 0/0 -i ppp0
         -m state --state NEW
         -m recent --update --hitcount 3 --seconds 60 --name SSH_PROBERS
         -j DROP

iptables -A FORWARD -p tcp --dport 22 -d <local net> -o eth0 -s 0/0 -i ppp0
         -m state --state NEW
         -m recent --set --name SSH_PROBERS
         -j ACCEPT

So, in the INPUT chain, you wouldn't use -o, and -d would be the IP on your external link.. in this example, ppp0.

What it does, is uses the ipt_recent module, tracking connections from a given IP. 3 incoming connections in 60 seconds will cause the remote host to be blocked. Of course, this affects normal logins too, so for known hosts, it pays to insert a rule beforehand that does a -j ACCEPT.

I'm enjoyng the very short log entries for a given ssh scanning host in my logcheck mail :).

UPDATE 2006/04/07: Whoops...
Sorry Erich, didn't notice that :)

[08:51] [/Hacking] [permanent link]