On 2005-07-17, Michael Heiming wrote:
> In comp.os.linux.security Wayne <wayne@nospam.4me.invalid>:
>> Is it possible to have sshd or some other daemon recognize
>> a dictionary attack in progress, and to "shun" that IP for

There was a recent posting about this on slashdot, and several people
posted iptables methods of dealing with this, using the "recent" rule.

http://it.slashdot.org/article.pl?sid=05/07/16/1615233
"Rundown on SSH Brute Force Attacks"

What I'd like to see is to get the "tarpit" target incorporated into
the mainline kernel (currently it is only in the extra patch-o-matic).
Then everyone could easily use recent and tarpit to slow the scans.

I'd love to tie up these idiots' ssh scanners as much as possible!

This is what was posted (there was a more complicated one that allowed
for ssh IP whitelisting):

-A PREROUTING -m tcp -p tcp -d $EXTERNAL --dport 22 -m recent --rcheck
--hitcount 3 --seconds 600 -j LOG --log-prefix "SSH attack: "
-A PREROUTING -m tcp -p tcp -d $EXTERNAL --dport 22 -m recent --rcheck
--hitcount 3 --seconds 600 -j DROP
-A PREROUTING -m tcp -p tcp -d $EXTERNAL --dport 22 -m recent --set -j DNAT
--to-destination $INTERNAL:22
-A OUTPUT -m tcp -p tcp -d $EXTERNAL --dport 22 -j DNAT --to-destination
$INTERNAL:22

So if you have the tarpit patch added, I guess all that needs to be done
is to replace "-j DROP" with "-j TARPIT".

--
Brian Hall
Linux Consultant
http://pcisys.net/~brihall