LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

December 2011

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS December 2011

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: No route to host
From:	jdow <[log in to unmask]>
Reply To:	jdow <[log in to unmask]>
Date:	Fri, 30 Dec 2011 18:16:35 -0800
Content-Type:	text/plain
Parts/Attachments:	text/plain (52 lines)

On 2011/12/30 18:05, MT Julianto wrote:
> On 30 December 2011 14:22, jdow <[log in to unmask] <mailto:[log in to unmask]>>
> wrote:
>
>     On 2011/12/30 00:14, MT Julianto wrote:
>
>         Indeed, I found some traces of intruder trying to get root access via
>         ssh, but
>         none is succeeded.  Now, I use fail2ban (available at atrpms) to handle
>         them.
>
>
>     I find zero to five tries a day. For some strange reason every try is from a
>     different address.
>
>
> Exactly!  I have a web server which still got thousands sshd attack per month,
> although fail2ban is installed with bantime = 1 hour :-(
>
> For the current machine, just before fail2ban is installed yesterday, I found
> about 500 tries in half hour from the same address.  sshd attack is drastically
> drop after fail2ban is installed.
>
>     I have my own iptables script with lines like these in it:
>     $IPTABLES -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
>     $IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
>       --rcheck --seconds 60 --hitcount 2 -j LOG --log-prefix 'SSH REJECT: ' \
>       --log-level info
>     $IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
>       --rcheck --seconds 60 --hitcount 2 -j REJECT --reject-with tcp-reset
>
>     The -m recent, -seconds 60, and --hitcount 2 phrases are the magic. Much of
>     that is so that I get the rejects logged, thanks to my sick curoisity.
>
> Interesting!  However, I don't know much about iptables.
>
>     This allows me to typo the password. All I have to do is wait a couple minutes
>     between tries
>
> Is it the same as fail2ban with setting: maxretry=1 ?

I don't know. I learned of fail2ban from the BSD mailing list long after I'd
learned that iptables trick. I feel more comfortable with the iptables trick
since it is right there instantly rather than with any log reading delays.
It even prevents two attempts from the same address if the first one was
successful, which is not something I've ever wanted to do. It's one less
piece of software on the system. It means I had to learn iptables a bit.

I learned the trick on one of the Red Hat lists about a decade ago.

{^_^}

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV