[NCLUG] Distributed attack

Michael Milligan milli at acmeps.com
Tue Oct 6 05:54:46 MDT 2009


Sean Reifschneider wrote:
> On 10/01/2009 01:54 PM, grant at amadensor.com wrote:
>> Mine has gone from a few a day to hundreds per hour, if not hundreds per
>> minute.   The interesting things are how much it has increased, and the
> 
> As we mentioned in the SSH presentation last month, move your SSH server to
> a non-standard port

I've been using iptables to stop brute-force attacks in general, not
just SSH, and it works reasonably well -- I have been seeing the botnet
hosts retrying at various (bursty) intervals.  Here's an example where
eth0 is exposed to the public (big-I) Internet:

iptables -N DROP_A
iptables -A DROP_A -j LOG --log-prefix 'ATTACK DROP ' --log-ip-options
--log-tcp-options -m limit --limit 1/s
iptables -A DROP_A -j DROP

(The above creates a custom action that logs a message when it drops
packets, at most 1 per second... adjust accordingly)

iptables -A INPUT -p tcp -i eth0 -m multiport --dport ! 80,443,993 -m
state --state NEW -m recent --set
iptables -A INPUT -p tcp -i eth0 -m multiport --dport ! 80,443,993 -m
state --state NEW -m recent --update --seconds 90 --hitcount 6 -j DROP_A

(This tracks connect attempts and, on subsequent attempts, tracks how
many times.  If there's more than 6 in a 90 second interval, drop any
further packets until 90 seconds have passed without any further attempts.)

Note: it's a web/mail server, different rate limit for web/mail ports...

In the last week, my logs show that the top 20 attacked ports are, most
popular first, 139, 445, 2967, 22, 135, 1433, 23, 8080, 5900, 3128,
4899, 3389, 1080, 3306, 1521, 8000, 110, 10000, 1111, 32776, 21.

So it ain't just SSH they are after.

Regards,
Mike

PS: No passwords for my sshd, keys only.

PSS:  And for what it's worth, I complete drop any traffic from 60/8
with extreme prejudice, which is mostly China.

-- 
Michael Milligan                                   -> milli at acmeps.com



More information about the NCLUG mailing list