Member
Hi. Sorry my english.
Yesterday somebody try login my router on ssh. I like use iptables for solve this problem.
Drop tcp packets if:
state new
and
time limit: 300 seconds
and
packest: 4 (4 where state=new)
I read this code somewere but not working:
iptables: No chain/target/match by than nameiptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
I try solve problem:
Oleg, please check this - the command to do what I like?iptables -I SECURITY -p tcp --dport 22 -i ppp0 -m state --state NEW -m limit --limit 300/second --limit-burst 4 -j DROP
Thanks, George
Junior Member
Same problem. Someone try to hack up mí router as well. I tracked back the IP addresses at www.dnsstuff.com and find out that the attack's are from china and japan, but not always the same address.
By the way,
They can't hack it up, login attemp failed according to the system log. So I just ignore them. (I have strong password)
Member
[admin@MYROUTER init.d]$ passwd
Changing password for admin
Enter the new password (minimum of 5, maximum of 8 characters)
Please use a combination of upper and lower case letters and numbers.
Enter new password:
[admin@MYROUTER init.d]$
The passwords lenghts is 8 characters and I think it not enought strong (for brute force attack).
George
Forum Guru
if you use 8 lower/upper case latin letters + numbers, you have (26+26+10)^8 = 218340105584896The passwords lenghts is 8 characters and I think it not enought strong (for brute force attack).
Taking into account that the time between attempts is 2-4 sec, so it will take at least 13847038 years to check all possible combinations to get your root password.
So, be sure that you use 8 char non-vocabulary based password, and you can be relatively calm relative to this situation.
However, I agree, it is unpleasant.
Normally this problem is resolved by tcpwrappers. This library provides easy access control using /etc/hosts.allow and /etc/hosts.deny files. However, all the packages in the optware/oleg feed are compiled without support of tcpwrappers. I don't know why. IMHO this default behavior should be changed.
Don't miss that if you use this method (using ipt_recent) it would actually mean that if somebody is trying to access your ssh daemon in unwanted manner, then firewall denies ssh access for everybody (including you).
Do you remember that you have to install module:
insmod ipt_recent
Member
Thanks. I try ipt_recent modul.
George
Posting Permissions
Reply With Quote