[UFO Chicago] Tripwire to shut off ssh access to a host?

Jordan Bettis jordanb at hafd.org
Fri Nov 17 11:29:37 PST 2006


On Fri, Nov 17, 2006 at 01:04:49PM -0600, Neil R. Ormos wrote:
> Jordan Bettis wrote:
>
> > If you make four ssh connections in 60 seconds,
> > it will blacklist you, but the blacklist will
> > expire in a minute if you don't try to make
> > another connection and reset the counter before
> > it expires.
> 
> Thanks to Nate for posting the iptables recipe.
> Thanks to Jordan for decoding it, as I know little
> about iptables and the decoding saved me a lot of
> time

Well I was a little bit wrong and should clarify 
(I spoke with nate on IRC last night).

The host itself doesn't get blacklisted.

Only those packets that match rule one get dropped.

Which is to say, only packets that are initiating a
new SSH connection.

That means any packets to any other services get 
through, and even packets to SSH that are part of
an existing connection go through. Which is really
cool because even if you accidently trigger the
thing it won't kill any existing ssh connections
you have, you just have to wait for a minute before
you can start a new connection.

Also it appearently blocks the fourth connection 
attempt along with the subsequent ones. So with
that setup you're allowed three connection attempts
in a minute.

The way to get unblocked is still to wait a full
minute after your LAST attept for the rule to 
expire.

You should be using at least kernel 2.6.13, I
believe, to avoid a bug in ipt_recent.

-- 
Jordan Bettis -- Chicago Il.
  <http://neighborhoods.chicago.il.us>                  
    Photographs of Life in the Neighborhoods of Chicago


More information about the ufo mailing list