ssh probing

V13 v13 at v13.gr
Tue Jun 9 23:59:30 EEST 2009


On Tuesday 09 June 2009, Giorgos Keramidas wrote:
> On Tue, 9 Jun 2009 12:26:15 +0300, Nick Demou <ndemou at gmail.com> wrote:
> > Σε φρεσκοστημένο linux server σε 48 ώρες είδα 5.784 αποτυχημένες
> > προσπάθειες αγνώστων να συνδεθούν μέσω ssh (2 προσπάθειες ανά
> > δευτερόλεπτο!)
> >
> Υπάρχει rate-limiting.  Στο modem μου έχω ανοιχτό το ssh port και mapped
> προς το σταθερό IP του laptop.  Στο `/etc/pf.conf' μου έχω:
>
>     pass inet proto tcp from any to any port = 22 flags S/SA keep state \
>              (max-src-conn 10, max-src-conn-rate 5/3, \
>               overload <bruteforce> flush global)

Yparxei kai ena mikro trik poy mporeis na kaneis. To exo efarmosei me (mporo 
na po) megali epityxia -- exei isixasei to kefali moy:

* Katarxin metras posa bytes metaferontai se mia apotyximeni apopeira
* Sth synexeia metras poses tetoies apopeires ginontai
* An kapoios kseperasei to orio, mpenei se blacklist kai bgenei toy agioy pote 
(h meta apo 5 lepta).
* Bazontas ton sthn blacklist mporeis na kaneis apla DROP ta paketa h akomi 
kalitera, na xrisimopoihseis to "-j BLACKHOLE" toy iptables.

To parakato doylevei *PARA* poly kala gia polla mixanimata (enas kanonas se 
firewall diktyoy -- synolika) me ssh:

T=restrict_ssh_fail
$I -N $T

#$I -A $T -i $IF_EX -p tcp --dport 22 --syn \
#    -m recent --name badssh --rcheck --seconds 300 --hitcount 5 \
#    -j LOG --log-prefix "D-SSH-FAILRATE "

$I -A $T -i $IF_EX -p tcp --dport 22 --syn \
 -m recent --name badssh --update --seconds 300 --hitcount 5 \
 -j REJECT --reject-with tcp-reset

$I -A $T -i $IF_EX -p tcp --dport 22 --tcp-flags FIN FIN \
 -m connbytes --connbytes-dir original --connbytes-mode bytes \
 --connbytes 0:3000  -m recent --name badssh --set

$I -A $T -j RETURN

$ cat /proc/net/xt_recent/badssh  | wc -l
44

An to fobasai mporeis na prostheseis kai ena akomi kanona oste otan yparxei 
syndesi me perissotera apo 3000 bytes na sbinetai h sxetiki eggrafi apo th 
lista, an kai den moy'xei xreiastei eos tora. An to efarmoseis se polla 
mixanimata, tote kapoia apo ayta den tha exoyn kamia enoxlisi.

To risko einai mikro mias kai apla mporei na meineis 5 lepta apekso. (Eykairia 
na ftiakseis kafe). Episis, den mporei kapoios na afisei apekso kapoion allo 
me ... ehm ... "plagio" tropo.

<<V13>>



More information about the Linux-greek-users mailing list