[UFO Chicago] Tripwire to shut off ssh access to a host?

Nate Riffe inkblot at movealong.org
Mon Nov 13 10:18:15 PST 2006


Jordan Bettis said this (probably recently):
> ISTR a program that uses netfilter to automatically
> block hosts that fail login to ssh x number of
> times. It's not 'tripwire' though, which would
> be the obvious, that does something entirely
> different.
> 
> Does anyone know what that program is, as I
> can not find it now in debian stable.

It's not a "program," it's just these four rules, the second of which
is optional if you don't want to log blocked connections and the last
of which is optional if you are not otherwise blocking access to port
22:

iptables -t filter -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
iptables -t filter -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rtt --name SSH -j ULOG --ulog-prefix "SSH brute force"
iptables -t filter -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rtt --name SSH -j DROP
iptables -t filter -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT

It requires the netfilter "recent" and "state" modules, and the second
rule requires the netfilter "ULOG" module.  All three of these modules
are config options in recent 2.6-series kernels.  As long as those
modules exist on your system and you can get these rules inserted into
your netfilter tables at boot, you're set.

-Nate

-- 
--< ((\))< >----< inkblot at movealong.org >----< http://www.movealong.org/ >--
pub  1024D/05A058E0 2002-03-07 Nate Riffe (06-Mar-2002) <inkblot at movealong.org>
     Key fingerprint = 0DAC F5CB D182 3165 D757  C466 CD42 12A8 05A0 58E0


More information about the ufo mailing list