Web Page Templates Icons, Clipart, Logos

Blog

Hot Topics

Post Archive

Tags

Aug 04, 2009 12:59 AM EDT

Easy solution to hinder brute force attacks using iptables

Over the past week, there have been 10 separate attempts to do a brute force attack on my server. Each day, I’d check my logs and manually ban the IP address responsible for the attempted crack. They’ve been attempting to break in through SSH and FTP.

While they didn’t succeed in breaking in, they did succeed in slowing down the server to the point that it was unresponsive for a few minutes during each attack.

Fortunately, IPTables has a cool feature that checks for recent connections. You tell it how many connection attempts from a particular IP address for a length of time, and if that amount succeeds, that IP address is banned for the specified amount of time.

It consists of 2 easy commands. The first one sets up the recent table:

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set

In this case, it’s looking for connections on port 22 (SSH). Do the same for any other port that you want to limit like this such as your ftp ports.

The next command tells it to drop packets that exceed your specifications:

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 2 -j DROP

This tells iptables to drop the 3rd connection from a particular IP address if it happens within 60 seconds of the previous 2. You’ll probably want to set it a little harsher than that such as 3-5 minutes, or if you really want to be strict, set it for an hour or more. The downside is that the longer the timeframe, the greater chance that a legitimate person will get blocked because they mistyped their password a couple of times.

I’ve found that a range of 3-5 minutes is enough. My logs show a couple of attempts, 5 minutes later, a couple more, 5 minutes later a couple more. The rest are just dropped. My server doesn’t show down in the slightest with this kind of load, and I believe it’ll take the crackers a few hundred years to break a password at 2 attempts every 3-5 minutes.

Darren brute force | server security | ssh | ftp
Displaying 1 post

Online Information for Geeks

 

 

 

 

Resource Links