Comments on: Mitigating SSH Brute Force Attacks with ipt_recent

By: Yaz Okulu

Yaz Okulu — Thu, 13 Mar 2008 18:28:19 +0000

does anyone knows if there is any other information about this subject in other languages?

By: Rommidze

Rommidze — Wed, 14 Feb 2007 15:29:51 +0000

There is also another one, but more user friendly way to protect ssh, is to use pam-abl:
http://tech.tolero.org/blog/en/linux/ssh-password-brute-force-protection

By: Juergen Kreileder

Juergen Kreileder — Sun, 22 Oct 2006 16:56:25 +0000

Yeah, I've seen that Limit has been included in the upstream version some time ago. I'll add a note to the article.

By: Daniel Andersson

Daniel Andersson — Sun, 22 Oct 2006 16:38:22 +0000

I’ve been using this tip successfully for, I don’t know, about a year now. A couple of hours ago when I ran a “apt-get dist-upgrade” on my Debian Unstable-machine, Shorewall was upgraded and after that unable to start. It reported an error regarding this very tip.

The solution was found a while later. In the changelog (which I read during installation, just not carefully enough :-) ) it says:

“”
The ‘Limit’ action is now a builtin. If you have ‘Limit’ listed in
/etc/shorewall/actions, remove the entry. Also remove the files
/etc/shorewall/action.Limit and/or /etc/shorewall/Limit if you have
them.
“”
http://www1.shorewall.net/pub/shorewall/development/3.3/shorewall-3.3.3/releasenotes.txt

The answer lies here though: http://www.shorewall.net/PortKnocking.html#Limit . In other words: out with the old, in with the new. On the same page, further up, there is a replacement for the Whitelist-action as well.

By: Jonathan

Jonathan — Wed, 18 Oct 2006 10:45:29 +0000

… belay that comment.
I’m slightly dumb today and wasn’t reading your instructions correctly.
It all seems to be working now that I correctly followed them.
Thanks for writing the scripts :)

By: Jonathan

Jonathan — Wed, 18 Oct 2006 10:25:33 +0000

Hi!

I’m quite new to shorewall, but I’ve been experiencing bruteforce ssh attacks and so I wanted to use your scripts to try and stop them. Unfortunately, when I try to start shorewall again, the command fails with:

ERROR: Invalid TARGET in rule “[ -n “$TAG” ] || fatal_error “TAG not set” ”

And so I’m not sure what’s going wrong …

By: Juergen Kreileder

Juergen Kreileder — Tue, 11 Oct 2005 10:37:46 +0000

Yes, they time out within a minute when the attacker stops sending packets. The Limit action uses "... -m recent --update --seconds 60 --hitcount 6 -rttl --name SSH -j DROP". That means: If the source address is in the ipt_recent list named SSH and six or more NEW packets with the same TTL have been received in the last 60 seconds then drop this packet. Once the number of packets received in the last 60 seconds drops below 6 again (ie. if no new packets arrive for some time), the rule won't hit.

By: micah

micah — Tue, 11 Oct 2005 00:47:56 +0000

Do these DROP’s ever time out? It would be good if they were automatically released a few hours later…

By: Juergen Kreileder

Juergen Kreileder — Fri, 07 Oct 2005 18:01:41 +0000

I’ll post an extended article in the next days.

By: Hal Dougherty

Hal Dougherty — Fri, 07 Oct 2005 17:32:57 +0000

I second the request. I’ve had someone trying to log in as root and other users for some time now. I use secure passwords, disalow root login and use shorewall to drop or reject multiple login trys, but a working script to limit failed attempts would be fantastic.

Thanks in advance.

By: joeyski

joeyski — Thu, 06 Oct 2005 11:15:41 +0000

I got here from this link:

http://thread.gmane.org/gmane.linux.gentoo.security/2486

can you make a more noobie friendly with more explanation, step by step guide for this?

Thanks for this guide.