Samker's Computer Forum - SCforum.info
Server & Network Security Base: => System & Security Management => Topic started by: mikey on 28. April 2012., 22:21:43
-
So how do you handle dictionary attacks?
Until recently, I used automatic scripts to ban sources. Scripts are too slow. So why can't we just build a simple rule set for the firewall?...perhaps like this;
iptables -N SSH_BAN
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_BAN
iptables -A SSH_BAN -m recent --set --name SSH
iptables -A SSH_BAN -m recent --update --seconds 60 --hitcount 4 --name SSH -j DROP
iptables-save > /etc/sysconfig/iptables
/sbin/service iptables save
The result;
[root@bench ~]# iptables -L -v
Chain INPUT (policy ACCEPT 374M packets, 106G bytes)
pkts bytes target prot opt in out source destination
176K 10M SSH_BAN tcp -- any any anywhere anywhere tcp dpt:ssh state NEW
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 274M packets, 395G bytes)
pkts bytes target prot opt in out source destination
Chain SSH_BAN (1 references)
pkts bytes target prot opt in out source destination
176K 10M all -- any any anywhere anywhere recent: SET name: SSH side: source
164K 9812K DROP all -- any any anywhere anywhere recent: UPDATE seconds: 60 hit_count:
4 name: SSH side: source
[root@bench ~]#
Works for me. :)
-
Nice work Mike. :thumbsup:
Few additional details about "Dictionary attacks" for SCF members from Wikipedia:
In cryptanalysis and computer security, a dictionary attack is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by searching likely possibilities.
...
Source: http://en.wikipedia.org/wiki/Dictionary_attack (http://en.wikipedia.org/wiki/Dictionary_attack)
... and one, just for "figure out", YT video:
http://www.youtube.com/watch?v=xR8J_jNw2io (http://www.youtube.com/watch?v=xR8J_jNw2io)