In this situation you can create a collection of firewalling rules which will deny access from remote clients who attempt to connect "too many" times.
If you have an existing firewall in place, using iptables, then adding the rules is very straightforward.
The way the recent module works is fairly straightforward, you basically add IP addresses to a list, which can then be used in the future to test connection attempts against. This allows you to limit the number of connections against either a number of seconds, or connection attempts. In our example we'll do both.
An example is probably the simplest way to illustrate how it works. The following two rules will limit incoming connections to port 22 to no more than 3 attemps in five minutes - an more than that will be dropped:
sudo iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
sudo iptables -L
sudo iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 300 --hitcount 4 -j DROP
============ log file: sudo less /var/log/auth.log ==================
Apr 15 02:10:44 SS sshd[23278]: reverse mapping checking getaddrinfo for customer-static-123-146-53.
Apr 15 02:10:44 SS sshd[23278]: Invalid user rfmngr from 200.123.146.53
Apr 15 02:10:44 SS sshd[23278]: pam_unix(sshd:auth): check pass; user unknown
Apr 15 02:10:44 SS sshd[23278]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=200.123.146.53
Apr 15 02:10:46 SS sshd[23278]: Failed password for invalid user rfmngr from 200.123.146.53 port 46864 ssh2
Apr 15 02:10:47 SS sshd[23281]: reverse mapping checking getaddrinfo for customer-static-123-146-53.
Apr 15 02:10:47 SS sshd[23281]: Invalid user sales from 200.123.146.53
Apr 15 02:10:48 SS sshd[23281]: pam_unix(sshd:auth): check pass; user unknown
Apr 15 02:10:48 SS sshd[23281]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=200.123.146.53
Apr 15 02:10:49 SS sshd[23281]: Failed password for invalid user sales from 200.123.146.53 port 47024 ssh2
Apr 15 02:10:51 SS sshd[23283]: reverse mapping checking getaddrinfo for customer-static-123-146-53.
Apr 15 02:10:51 SS sshd[23283]: Invalid user recruit from 200.123.146.53
Apr 15 02:10:51 SS sshd[23283]: pam_unix(sshd:auth): check pass; user unknown
Apr 15 02:10:51 SS sshd[23283]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=200.123.146.53
Apr 15 02:10:53 SS sshd[23283]: Failed password for invalid user recruit from 200.123.146.53 port 47137 ssh2
Apr 15 02:10:54 SS sshd[23285]: reverse mapping checking getaddrinfo for customer-static-123-146-53.
Apr 15 02:10:54 SS sshd[23285]: Invalid user alias from 200.123.146.53
Apr 15 02:10:54 SS sshd[23285]: pam_unix(sshd:auth): check pass; user unknown
Apr 15 02:10:54 SS sshd[23285]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=200.123.146.53
Apr 15 02:10:56 SS sshd[23285]: Failed password for invalid user alias from 200.123.146.53 port 47248 ssh2
Apr 15 02:10:57 SS sshd[23287]: reverse mapping checking getaddrinfo for customer-static-123-146-53.
Apr 15 02:10:57 SS sshd[23287]: Invalid user office from 200.123.146.53
Apr 15 02:10:57 SS sshd[23287]: pam_unix(sshd:auth): check pass; user unknown
Apr 15 02:10:57 SS sshd[23287]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=200.123.146.53
Apr 15 02:11:00 SS sshd[23287]: Failed password for invalid user office from 200.123.146.53 port 47357 ssh2
Apr 15 02:11:01 SS sshd[23289]: reverse mapping checking getaddrinfo for customer-static-123-146-53.
No comments:
Post a Comment