the BLUG wiki and a graph showing the growth of the worm over a few
months, but I haven't had time to recover the wiki since it broke after
a PHP upgrade. Sorry about that.
Anyways, hashlimit has worked quite well. The problem that I was
running into was that the worm that was running around trying every
first name as a username was hitting my servers so hard that it opened
up enough connections to prevent normal users from logging in. So I
turned on hashlimit in the firewall and that stopped the problem. I
also decided at that point that I would move my servers that don't need
ssh access by customers to a custom port. I found one suitable by
searching a years worth of firewall logs and found one that hadn't ever
been hit by port scanners. There are actually several ports like this
so don't ask me which one I use. This is an exercise left to the reader.
So you can see, there are other issues besides just "if they get the
right username and password", they can practically DOS your system.
Back in 2005 I think I was getting somewhere around 60,000 login
attempts per day.
On Wed, Jul 20, 2011 at 08:51:55PM GMT, Williams, Jeffery Allen [] said the following:
> A while back (3 or more years) there was a discussion about ssh brute force attacks. (I think Mark sent something related to SUSO getting hammered.) Since then, I have limited the number of connection attempts per source IP to 4 / minute using hashlimit in iptables. I have other lines that limit service connections to a few per second from any source (ntp for instance). I also have a few things where I reject the first few connection attempts and after that all attempts are dropped until things quiet down.
> I also have notes in my firewall script about portsentry. But I don't know if that's still a thing.
> Finally, my router is a piece of crap. If too many connection attempts happen at once it just locks up until it's power cycled. This further prevents brute force attacks (but is more than a little annoying).
> Jeffery Williams
> Software Engineer
> ISAT Hall
> 867-5309
> _______________________________________________
> BLUG mailing list
Mark Krenz
Bloomington Linux Users Group
Sent from Mutt using Linux
BLUG mailing list
No comments:
Post a Comment