[NBLUG/talk] Multiple IP address / brute force attack

Walter Hansen gandalf at sonic.net
Wed Apr 30 00:07:34 PDT 2008


Ken McGlothlen wrote:
> Sorry to hear it.  These sorts of attacks are getting more and more frequent,
> and without dynamically adaptive firewalls, they're hard to manage.
> 
> | What this means to me is that if you have a range of IPs on your server and
> | actually configure them to work, it's a little like hanging out a big net
> | with bells on it.
> 
> Pretty much.
> 
> | Comments, laughter, ideas?
> 
> No laughter from this corner.  Keeping up with this sort of thing is difficult.
> 
> I guess the main thing is to keep track of what networks spell trouble, and
> keep up with your firewall.  Keep up to date with the patches.  Improve your
> monitoring tools.  And good luck.


Thanks. If it doesn't kill your server it only makes you stronger. Today 
I found that one program I wrote did not get backed up. Tomorrow I get 
to write it again. I hope I remember how it worked and all of what it 
was supposed to do. Think I should re-work the backup setup also.

When they broke in I shut down the server. I think they had access to it 
for less than a minute but it was restarting every ten minutes (offline) 
so it was definitely violated.

Here's the new recipe for dropping bad connections with ssh on 122 no 
less. I tried lots of recipes before one worked right:
# Record SSH
-A INPUT -p tcp -m tcp -m state -m recent --dport 122 --state NEW  --set 
--name SSH
# Log SSH ATTACK
-A INPUT -p tcp -m tcp -m state -m recent --dport 122 --state NEW -j LOG 
  --update --seconds 300 --hitcount 4 --rttl --name SSH --log-prefix 
"SSH_brute_force "
# DROP SSH ATTACK
-A INPUT -p tcp -m tcp -m state -m recent --dport 122 --state NEW -j 
DROP  --update --seconds 300 --hitcount 4 --rttl --name SSH



More information about the talk mailing list