Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The article makes it sound like the SSH brute-forcing requests were part of the attack, but it's unlikely - they are very common. My servers get several of these attacks a day.

I don't like changing my default SSH port, but I don't like people trying to brute-force my SSH passwords either. Instead I use iptables to drop SSH connections from any IP address that attempts to connect overly frequently. This is highly efficient (compared to scripts like fail2ban) and very simple to implement:

  # SSH daemon - tcp Port 22 - drop any more than 3 new connections from one address every 5 mins
  $IPTABLES -I INPUT -p tcp -i eth+ --dport 22 -m state --state NEW -m recent --set
  $IPTABLES -I INPUT -p tcp -i eth+ --dport 22 -m state --state NEW -m recent --update --seconds 300 --hitcount 3 -j DROP
  $IPTABLES -A INPUT -p tcp -i eth+ --dport 22 -j ACCEPT
Enjoy!


Congrats, you have just opened yourself to a DoS for no gain whatsoever. Mind telling me the host and where you usually connect from?


You realise this only blocks connections from the abusive address, not all connections? If so, please enlighten me about how this enables a DOS.


There is no such thing as an "abusive address". There are only "abusive attackers", but what you are blocking are addresses, not attackers. Blocking attackers would require authenticating them. Which is impossible, because attackers usually won't cooperate in authenticating them. Which is why we usually authenticate legitimate users instead. Which is what the sshd would do if you just let it do its job. What you do instead is to offer a service which anyone without any authentication can use to block any address they like from accessing your ssh server by sending three packets where they put the address they wish to block into the source address field, with different source ports so as to make netfilter consider them NEW flows. Such functionality that allows anyone to reduce the availability of a service, especially when it takes as little effort as three packets, is what is commonly called a Denial of Service vulnerability.


Thanks for the explanation - I see your point and it would wise to consider this possibility when looking at this technique.

For my use case though, this reduces load on my server (and prevents clogging my auth log files) by stopping incessant password brute-forcing attempts. I must admit to quickly adding an over-riding ALLOW for the handful of IP addresses that should have access, though!


Because source IPs really aren't easy to spoof, right? </s>




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: