Íàñòðîéêà brute force protection íà ðîóòåðå

[black_128]

Äîáðîãî âðåìåíè ñóòîê!
Ñêàæèòå, ðåøåíà ëè ïðîáëåìà ñ õàëÿâíûì õîæäåíèåì â èíòåðíåò, êîãäà Âàø IP èñïîëüçóþò âìåñòî øëþçà?

Îïèñàíî: http://www.wl500g.info/showthread.php?t=6595

Òàêæå, êàêèì îáðàçîì èçìåíèòü ìîé post-firewall, ÷òîáû âî ïåðâûõ ïåðåíàïðàâèòü äîñòóï ê 22ìó ïîðòó íà äðóãîé "áåçîïàñíûé", à âî âòîðûõ ñäåëàòü áëîêèðîâàíèå IP àòàêóþùåãî íà ñóòêè, ïîñëå íåóäà÷íûõ 6-òè êîííåêòîâ? Íåáîëüøîå çàìå÷àíèå - ÿ íå èñïîëüçóþ äîñòóï ê äîìàøíèì êîìïüþòåðàì èç WAN - íåò íåîáõîäèìîñòè.

À òî, ñö@$è ïûòàþòñÿ ëîìàòü:




inetnum: 85.89.73.218 - 85.89.73.222
netname: SE-NTI-SKOLAN-NETIT
person: Thomas Rojsel
address: Garvaregatan 4
phone: +46 23 702 22 02
nic-hdl: TR1185-RIPE
source: RIPE # Filtered
person: Lars Olsson
address: NetIT
address: Sweden
phone: +46 23 636 40
e-mail: lars@netit.se

Âîò ìîé post-firewall:

#!/bin/sh
#WEB,SSH and FTP access from WAN
iptables -D INPUT -j DROP
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -j DROP
#Test for post-firewall.log
echo "post-firewall running...">/var/log/post-firewall.log

Ïîäñêàæèòå, ãóðó!

[black_128]

Íó ÷òî, ðåáÿòà? Âàøè post-firewall áóäóò çà firewall?

Âîò ÷òî ÿ ïðèäóìàë, âåðíî? (Ýýýýõ....íà íåäåëüêó áû âñÿêèõ øâåäîâ è êèòàéöåâ â áàí):

#!/bin/sh
## WEB,SSH and FTP access from WAN
## Set default policy
iptables -P INPUT DROP
## Removes last default rule
iptables -D INPUT -j DROP
## Open FTP,SSH,WWW ports
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --syn --dport 22 -j brute_force
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
## Block SSH brute force attacks
iptables -N brute_force
iptables -F brute_force
iptables -A brute_force -m state --state NEW -m recent --name attack --set
iptables -A brute_force -m recent --name attack --rcheck --seconds 60 --hitcount 4 -m limit --limit 1/minute --limit-burst 1 -j LOG --log-prefix 'SSH brute force attack'
iptables -A brute_force -m recent --name attack --rcheck --seconds 60 --hitcount 4 -j DROP
iptables -A brute_force -j ACCEPT
## Drop other IPs
iptables -A INPUT -j DROP
#Test for post-firewall.log
echo "post-firewall running...">/var/log/post-firewall.log

[vaspupkin]

Óâàæàåìûå ïîëüçîðâàòåëè WL500GP,
îáðàòèë âíèìàíèå, ÷òî ñèñòåìàòè÷åñêè ñ ðàçíûõ àäðåñîâ ïðîâîäÿò ñêàíèðîâàíèå ïîðòîâ. Íàïðèìåð èç ïîñëåäíåãî ëîãà

Code:

syslog.log

Jan 22 22:26:31 dropbear[328]: Child connection from ::ffff:203.127.35.164:56647
Jan 22 22:26:35 dropbear[328]: bad password attempt for 'admin' from ::ffff:203.127.35.164:56647
Jan 22 22:26:36 dropbear[328]: exit before auth (user 'admin', 1 fails): Disconnect received
Jan 22 22:26:37 dropbear[329]: Child connection from ::ffff:203.127.35.164:56802
Jan 22 22:26:40 dropbear[329]: bad password attempt for 'admin' from ::ffff:203.127.35.164:56802
Jan 22 22:26:41 dropbear[329]: exit before auth (user 'admin', 1 fails): Disconnect received
Jan 22 22:26:41 dropbear[330]: Child connection from ::ffff:203.127.35.164:56886
Jan 22 22:26:45 dropbear[330]: login attempt for nonexistent user from ::ffff:203.127.35.164:56886

Äëÿ áëîêèðîâêè èñïîëüçóþ îïèñàííóþ çäåñü ïðîöåäóðó áëîêèðîâàíèÿ IP-àäðåñîâ ñ ðó÷íûì çàíåñåíèåì èõ â ôàéë block.ip
À âîò êàê áû àâòîìàòèçèðîâàòü äàííóþ ïðîöåäóðó? Ñëàá ÿ â ëþíèêñîèäíûõ ñêðèïòàõ

[SergeyVl]

Óâàæàåìûå ïîëüçîðâàòåëè WL500GP,
îáðàòèë âíèìàíèå, ÷òî ñèñòåìàòè÷åñêè ñ ðàçíûõ àäðåñîâ ïðîâîäÿò ñêàíèðîâàíèå ïîðòîâ. Íàïðèìåð èç ïîñëåäíåãî ëîãà

Code:

syslog.log

Jan 22 22:26:31 dropbear[328]: Child connection from ::ffff:203.127.35.164:56647
Jan 22 22:26:35 dropbear[328]: bad password attempt for 'admin' from ::ffff:203.127.35.164:56647
Jan 22 22:26:36 dropbear[328]: exit before auth (user 'admin', 1 fails): Disconnect received
Jan 22 22:26:37 dropbear[329]: Child connection from ::ffff:203.127.35.164:56802
Jan 22 22:26:40 dropbear[329]: bad password attempt for 'admin' from ::ffff:203.127.35.164:56802
Jan 22 22:26:41 dropbear[329]: exit before auth (user 'admin', 1 fails): Disconnect received
Jan 22 22:26:41 dropbear[330]: Child connection from ::ffff:203.127.35.164:56886
Jan 22 22:26:45 dropbear[330]: login attempt for nonexistent user from ::ffff:203.127.35.164:56886

Äëÿ áëîêèðîâêè èñïîëüçóþ îïèñàííóþ çäåñü ïðîöåäóðó áëîêèðîâàíèÿ IP-àäðåñîâ ñ ðó÷íûì çàíåñåíèåì èõ â ôàéë block.ip
À âîò êàê áû àâòîìàòèçèðîâàòü äàííóþ ïðîöåäóðó? Ñëàá ÿ â ëþíèêñîèäíûõ ñêðèïòàõ

Ýòî íå ñêàíèðîâàíèå ïîðòîâ, à ïîïûòêà ïîäêëþ÷èòüñÿ ÷åðåç SSH.
Ïî÷èòàéòå http://wl500g.info/showthread.php?t=8015

[vaspupkin]

×èòàë âíèìàòåëüíî, äåëàë... íå ïîëó÷èëîñü
 post-boot âñòàâèë

Code:

insmod ipt_recent

 post-firewall âñòàâëÿë îïèñàííûå ñòðîêè

Code:

iptables -t nat -I PREROUTING -i $WAN -p tcp -m state --state NEW --dport 22 -m recent --set --name SSH_ATTACKER --rsource
iptables        -I INPUT      -i $WAN -p tcp -m state --state NEW --dport 22 -m recent --update --seconds 600 --hitcount 3 --name SSH_ATTACKER --rsource -j DROP

ãäå âìåñòî $WAN ïîäñòàâëÿë $1; $3
Âñå ðàâíî íå âûõîäèò êàìåííûé öâåòîê.

Ìîæåò ÿ ïðîñòî çàáëóäèëñÿ â ñâîåì fire-wall, íå êîðîòêèé îí ó ìåíÿ
Ãëÿíüòå, êàê ïîïðàâèòü, åñëè íå òðóäíî

Code:

#!/bin/sh

# set default policy
iptables -P INPUT DROP

# remove last default rule
iptables -D INPUT -j DROP

# Block ICQ
iptables -I FORWARD -s 192.168.2.0/24 -d 64.12.25.0/24 -j DROP
iptables -I FORWARD -s 192.168.2.0/24 -d 61.12.51.0/24 -j DROP
iptables -I FORWARD -s 192.168.2.0/24 -d 64.12.161.0/24 -j DROP
iptables -I FORWARD -s 192.168.2.0/24 -d 64.12.164.0/24 -j DROP
iptables -I FORWARD -s 192.168.2.0/24 -d 61.12.174.0/24 -j DROP
iptables -I FORWARD -s 192.168.2.0/24 -d 64.12.200.0/24 -j DROP
iptables -I FORWARD -s 192.168.2.0/24 -d 64.12.202.0/24 -j DROP

iptables -I FORWARD -s 192.168.2.0/24 -d 152.163.159.0/24 -j DROP
iptables -I FORWARD -s 192.168.2.0/24 -d 152.163.208.0/24 -j DROP

iptables -I FORWARD -s 192.168.2.0/24 -d 205.188.7.0/24 -j DROP
iptables -I FORWARD -s 192.168.2.0/24 -d 205.188.8.0/24 -j DROP
iptables -I FORWARD -s 192.168.2.0/24 -d 205.188.9.0/24 -j DROP
iptables -I FORWARD -s 192.168.2.0/24 -d 205.188.153.0/24 -j DROP
iptables -I FORWARD -s 192.168.2.0/24 -d 205.188.157.0/24 -j DROP
iptables -I FORWARD -s 192.168.2.0/24 -d 205.188.165.0/24 -j DROP
iptables -I FORWARD -s 192.168.2.0/24 -d 205.188.179.0/24 -j DROP
iptables -I FORWARD -s 192.168.2.0/24 -d 205.188.248.0/24 -j DROP
iptables -I FORWARD -s 192.168.2.0/24 -d 205.188.251.0/24 -j DROP
iptables -I FORWARD -s 192.168.2.0/24 -d 205.188.253.0/24 -j DROP

# Block Rambler ICQ
iptables -I FORWARD -s 192.168.2.0/24 -d 204.15.10.0/24 -j DROP
iptables -I FORWARD -s 192.168.2.0/24 -d 81.19.64.0/24 -j DROP
iptables -I FORWARD -s 192.168.2.0/24 -d 81.19.65.0/24 -j DROP
iptables -I FORWARD -s 192.168.2.0/24 -d 81.19.66.0/24 -j DROP
iptables -I FORWARD -s 192.168.2.0/24 -d 81.19.69.0/24 -j DROP
iptables -I FORWARD -s 192.168.2.0/24 -d 81.19.70.0/24 -j DROP

# ACCEPT rules SSH, Telnet, FTP, WEB (Port 80)
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 23 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
iptables -A INPUT -p tcp --dport 3389 -j ACCEPT

# PREROUTING rules SSH, Telnet, FTP, WEB
iptables -t nat -A PREROUTING -i vlan1 -p tcp --dport 22 -j DNAT --to-destination
iptables -t nat -A PREROUTING -i vlan1 -p tcp --dport 23 -j DNAT --to-destination $4:23
iptables -t nat -A PREROUTING -i vlan1 -p tcp --dport 21 -j DNAT --to-destination $4:21
iptables -t nat -A PREROUTING -i vlan1 -p tcp --dport 80 -j DNAT --to-destination $4:80
iptables -t nat -A PREROUTING -i vlan1 -p tcp --dport 8080 -j DNAT --to-destination $4:8080
iptables -t nat -A PREROUTING -i vlan1 -p tcp --dport 3389 -j DNAT --to-destination $4:3389

# Drop all other connections
iptables -A INPUT -j DROP

# Block IPs
/usr/local/sbin/blockIPs

# CORBINA ROUTING
# Local network:
/sbin/route add -net 10.0.0.0 netmask 255.0.0.0 gw 10.190.0.17
# Corbina.ru, help.corbina.ru, home.corbina.ru
/sbin/route add -net 85.21.29.242 netmask 255.255.255.255 gw 10.190.0.17
# Stat.corbina.ru
/sbin/route add -net 195.14.50.26 netmask 255.255.255.255 gw 10.190.0.17
# Mail Server
/sbin/route add -net 195.14.50.16 netmask 255.255.255.255 gw 10.190.0.17 
# Local resources
/sbin/route add -net 85.21.79.0 netmask 255.255.255.0 gw 10.190.0.17
/sbin/route add -net 85.21.90.0 netmask 255.255.255.0 gw 10.190.0.17
# Corbina.TV:
/sbin/route add -net 85.21.52.254 netmask 255.255.255.255 gw 10.190.0.17
/sbin/route add -net 85.21.88.130 netmask 255.255.255.255 gw 10.190.0.17
/sbin/route add -net 83.102.146.96 netmask 255.255.255.224 gw 10.190.0.17
/sbin/route add -net 85.21.138.210 netmask 255.255.255.255 gw 10.190.0.17
/sbin/route add -net 85.21.138.214 netmask 255.255.255.255 gw 10.190.0.17

Âñå ïîëó÷èëîñü, âñåì ñïàñèáî.  êîíåö fire-wall äîáàâèë ñëåäóþùèé êîä ñ óêàçàíèåì êîíêðåòíî "ppp0"

Code:

iptables -t nat -I PREROUTING -i ppp0 -p tcp -m state --state NEW --dport 22 -m recent --set --name SSH_ATTACKER --rsource
iptables -I INPUT -i ppp0 -p tcp -m state --state NEW --dport 22 -m recent --update --seconds 60 --hitcount 3 --name SSH_ATTACKER --rsource -j DROP

[al37919]

â ñèñëîãå íàáëþäàþ, ÷òî êàêîé-òî çëîáíûé àâòîìàò ëîìèòñÿ íà ìîé dropbear.

Apr 16 00:22:07 dropbear[22309]: Child connection from ::ffff:164.100.167.22:5778
Apr 16 00:22:08 dropbear[22309]: exit before auth: Exited normally
Apr 16 00:24:30 dropbear[22598]: Child connection from ::ffff:164.100.167.22:30896
Apr 16 00:24:34 dropbear[22598]: login attempt for nonexistent user from ::ffff:164.100.167.22:30896
Apr 16 00:24:35 dropbear[22598]: exit before auth: Disconnect received
Apr 16 00:24:35 dropbear[22609]: Child connection from ::ffff:164.100.167.22:31108
Apr 16 00:24:38 dropbear[22609]: login attempt for nonexistent user from ::ffff:164.100.167.22:31108
Apr 16 00:24:39 dropbear[22609]: exit before auth: Disconnect received

Äàëåå ïðîäîëæàåòñÿ òî æå ñàìîå â òå÷åíèå 15 ìèí. Ïðèìåðíî êàæäûå ÷åòûðå ñåêóíäû íîâàÿ ïîïûòêà. Èòîãî ïîëó÷àåòñÿ ãäå-òî çà 200 ïîïûòîê. Ìíå ýòî íå íðàâèòñÿ.

Ìîæíî ëè ñäåëàòü ñëåäóþùåå (è êàê):
1) çàïðåò ñîåäèíåíèÿ ñ IP-àäðåñà ïîñëå òðåõ-ïÿòè íåóñïåøíûõ ïîïûòîê çàëîãèíèòüñÿ.

2) äðóãîé âàðèàíò ïîñëå íåóäà÷íîé ïîïûòêè ëîãèíà --- ïàóçà, ñêàæåì, 1 ìèíóòà

3) êàê çàäàòü êàêîé þçåð ìîæåò ëîãèíèòüñÿ ÷åðåç ssh è êàêîé íåò. Õî÷ó çàïðåòèòü ëîãèí äëÿ root

ÎÊ, ïîñëåäíåå óæå íàøåë : dropbear -w

[Oleg]

Äóìàþ, ÷òî íóæíî íàïèñàòü ñêðèïò, êîòîðûé áóäåò ïàðñèòü ëîã è äîáàâëÿòü ïðàâèëà â iptables.

[Duke]

Òóò óæå îáñóæäàëîñü. Ìîæíî ñðåäñòâàìè iptables ñäåëàòü âðåìåííóþ áëîêèðîâêó. Åñëè íå ïîäõîäèò - äëÿ ðàçáîðàëîãà ñêðèïò ìîãó âûëîæèòü.

[ATDT]

ÈÌÕÎ ïðîùå è ýôôåêòèâíåå ïîðò äðîïáèðà ïîìåíÿòü - íèêòî íå ëîìèòñÿ è â ëîãàõ ÷èñòî.

[al37919]

Ñïàñèáî çà îòâåòû,

2ATDT --- íó, ýòî íå ðåøåíèå, à ïðÿìî óõîä êàêîé-òî îò ïðîáëåìû. Íå ñïîðòèâíî. Çàòî, ïðàâäà, ïóòü ñàìûé ïðîñòîé.

2Duke --- áûëî áû ëþáîïûòíî âçãëÿíóòü.

[wod]

Âàðèàíò îò macsat:

This can be avioded by installing the ipt_recent module for iptables, and changing the firewall rules accordingly.
The method includes allowing only X number of connections to port 22 from the same IP in a period of YY seconds.
The ipt_recent module is in the iptables-mod-extra package, install this by:
ipkg install iptables-mod-extra
In this example of the setup, we will allow a maximum of 3 connections to port 22 from each IP within a 120 seconds timeframe. Also we will make a log-entry in the syslog for each blocked request to port 22. This means that we need to load both the ipt_recent and the ipt_LOG modules, and use them in our firewall.user script.
To load the modules at starup do this:
echo "ipt_recent" >> /etc/modules echo "ipt_LOG" >> /etc/modules
Now you can either reboot your router, or issue the following commands to load the modules now :
insmod ipt_recent insmod ipt_LOG
To create the firewall rules, you need to replace this like in your firewall.user script :
iptables -A input_rule -i $WAN -p tcp --dport 22 -j ACCEPT

With the following three lines:
iptables -t filter -A input_rule -i $WAN -p TCP --dport 22 -m recent --name SSH --rcheck --hitcount 3 --seconds 120 -j LOG --log-prefix "SSH_BRUTE "
iptables -t filter -A input_rule -i $WAN -p TCP --dport 22 -m recent --name SSH --update --hitcount 3 --seconds 120 -j DROP
iptables -t filter -A input_rule -i $WAN -p TCP --dport 22 -m recent --name SSH --set -j ACCEPT

Now after reloading the /etc/firewall.user script - or rebooting the router, it is only possible to make 3 requests every 120 seconds from the same ip to port 22 of the WAN device of your router.
You will still see log entries like the above, but only in blocks of three requests every two minutes. This will render brute force attacks non-useable for thoose petty hackers.
Blocked attempts will show in the syslog with the prefix : "SSH_BRUTE" and you can see thoose by issuing:
logread |grep "SSH_BRUTE"

[al37919]

wod, îãðîìíîå ñïàñèáî --- âûãëÿäèò îòëè÷íî. Áóäåì ïðîáîâàòü.

[Duke]

2Duke --- áûëî áû ëþáîïûòíî âçãëÿíóòü.

Ýòî çàïóñêàåòñÿ ïî êðîíó

Code:

#!/bin/sh
logfile=/tmp/syslog.log
banfile=/opt/fw-deny-ssh
for i in `awk '/dropbear.?*nonexistent/ { split($11,addr,/:/); cur=addr[4]; if(cur != prev) ban[n++]=cur; prev=cur } END { for(i=0; i in ban; i++) print ban[i] }' $logfile`
do
    grep "$i" $banfile -q || (
        banned="NOT banned"
        iptables -I INPUT -p tcp -s $i --dport 22 -j DROP &&
        echo $i>>$banfile &&
        banned="banned"
        sendmail "Intrusion alert!" "Unsuccessfull SSH connection attempt from $i detected - $banned"
    )
done

È äî êó÷è â post-firewall äîáàâëåíî

Code:

#SSH deny
for i in `cat /opt/fw-deny-ssh`
do
   iptables -I INPUT -p tcp -s $i --dport 22 -j DROP
done

ÍÎ! Òàáëèöû iptables óâåëè÷èâàþòñÿ, ñëåäîâàòåëüíî è ïðîèçâîäèòåëüíîñòü ðîóòåðà íàñêîëüêî ïàäàåò.

[imdex]

Âîò òóò äîâîëüíî ïîäðîáíî îáñóæäàëîñü óæå.

[rutony]

Code:

an  1 16:24:47 vsftpd[985]: [christina] FAIL LOGIN: Client "209.203.14.50"
Jan  1 16:24:49 vsftpd[985]: [christina] FAIL LOGIN: Client "209.203.14.50"
Jan  1 16:24:50 vsftpd[985]: [christina] FAIL LOGIN: Client "209.203.14.50"
Jan  1 16:24:52 vsftpd[996]: CONNECT: Client "209.203.14.50"
Jan  1 16:24:53 vsftpd[995]: [christine] FAIL LOGIN: Client "209.203.14.50"
Jan  1 16:24:55 vsftpd[995]: [christine] FAIL LOGIN: Client "209.203.14.50"
Jan  1 16:24:56 vsftpd[995]: [christine] FAIL LOGIN: Client "209.203.14.50"
Jan  1 16:24:58 vsftpd[1000]: CONNECT: Client "209.203.14.50"
Jan  1 16:24:58 vsftpd[999]: [christopher] FAIL LOGIN: Client "209.203.14.50"
Jan  1 16:25:00 vsftpd[999]: [christopher] FAIL LOGIN: Client "209.203.14.50"
Jan  1 16:25:01 vsftpd[999]: [christopher] FAIL LOGIN: Client "209.203.14.50"
Jan  1 16:25:03 vsftpd[1002]: CONNECT: Client "209.203.14.50"
Jan  1 16:25:03 vsftpd[1001]: [christy] FAIL LOGIN: Client "209.203.14.50"
Jan  1 16:25:05 vsftpd[1001]: [christy] FAIL LOGIN: Client "209.203.14.50"
Jan  1 16:25:06 vsftpd[1001]: [christy] FAIL LOGIN: Client "209.203.14.50"
Jan  1 16:25:09 vsftpd[1007]: CONNECT: Client "209.203.14.50"
Jan  1 16:25:09 vsftpd[1006]: [chuck] FAIL LOGIN: Client "209.203.14.50"
Jan  1 16:25:11 vsftpd[1006]: [chuck] FAIL LOGIN: Client "209.203.14.50"
Jan  1 16:25:13 vsftpd[1006]: [chuck] FAIL LOGIN: Client "209.203.14.50"
Jan  1 16:25:14 vsftpd[1010]: CONNECT: Client "209.203.14.50"
Jan  1 16:25:15 vsftpd[1009]: [cindy] FAIL LOGIN: Client "209.203.14.50"
Jan  1 16:25:16 vsftpd[1009]: [cindy] FAIL LOGIN: Client "209.203.14.50"
Jan  1 16:25:18 vsftpd[1009]: [cindy] FAIL LOGIN: Client "209.203.14.50"
Jan  1 16:25:19 vsftpd[1014]: CONNECT: Client "209.203.14.50"
Jan  1 16:25:20 vsftpd[1013]: [claire] FAIL LOGIN: Client "209.203.14.50"
Jan  1 16:25:22 vsftpd[1013]: [claire] FAIL LOGIN: Client "209.203.14.50"
Jan  1 16:25:24 vsftpd[1013]: [claire] FAIL LOGIN: Client "209.203.14.50"
Jan  1 16:25:25 vsftpd[1017]: CONNECT: Client "209.203.14.50"
Jan  1 16:25:26 vsftpd[1016]: [clarence] FAIL LOGIN: Client "209.203.14.50"
Jan  1 16:25:28 vsftpd[1016]: [clarence] FAIL LOGIN: Client "209.203.14.50"
Jan  1 16:25:29 vsftpd[1016]: [clarence] FAIL LOGIN: Client "209.203.14.50"
Jan  1 16:25:31 vsftpd[1020]: CONNECT: Client "209.203.14.50"
Jan  1 16:25:31 vsftpd[1019]: [clarissa] FAIL LOGIN: Client "209.203.14.50"
Jan  1 16:25:33 vsftpd[1019]: [clarissa] FAIL LOGIN: Client "209.203.14.50"
Jan  1 16:25:34 vsftpd[1019]: [clarissa] FAIL LOGIN: Client "209.203.14.50"
Jan  1 16:25:36 vsftpd[1023]: CONNECT: Client "209.203.14.50"
Jan  1 16:25:37 vsftpd[1022]: [clark] FAIL LOGIN: Client "209.203.14.50"
Jan  1 16:25:38 vsftpd[1022]: [clark] FAIL LOGIN: Client "209.203.14.50"
Jan  1 16:25:40 vsftpd[1022]: [clark] FAIL LOGIN: Client "209.203.14.50"
Jan  1 16:25:41 vsftpd[1025]: CONNECT: Client "209.203.14.50"
Jan  1 16:25:42 vsftpd[1024]: [claudia] FAIL LOGIN: Client "209.203.14.50"

êàê ÿ ïîíèìàþ, ñóäÿ ïî ëîãó ïûòàþòñÿ ïîäîáðàòü ïàðîëü ê ðîóòåðó, â ÷àñòíîñòè ê ôòï

ñîîáñòâåííî âîçíèêàåò âîïðîñ, êàê ìàêñèìàëüíî îáåçîïàñèòü,
1. êàê ïîìåíÿòü ïàðîëè äëÿ ê telnet, ssh?
2. êàêèå ïðàâèëà ïðîïèñàòü â iptables, îò íàçîéëèâûõ áðóòôîðñåðîâ?