[TriLUG] Drop script kitties

[Igor Partola]

For a while I ran a similar iptables rule but with TARPIT as the target (
http://www.symantec.com/connect/articles/slow-down-internet-worms-tarpits).
The idea is that you accept a TCP connection and then set the recv window
size to 0, basically dropping all communication. You also ignore all
attempts to close connection by the remote host. Thus the only way for the
scanner to get out of it and move onto the next host is to wait for the
connection to time out. At the time I thought I was very clever by moving my
ssh port to 2200 and then immediately blacklisting any IP that tried to
connect to port 22. Alas, I myself kept forgetting this and getting my IPs
blacklisted so I disabled this feature eventually.

Igor

On Tue, Oct 11, 2011 at 9:28 AM, Bill Farrow <bill at arrowsreach.com> wrote:

> I added this script to my OpenWRT firewall.  This drops ssh
> connections after 3 failed attempts.  Suggestions for improvement are
> most welcome.
>
>
> ## Logging Dropped packets
> iptables -F LOGDROP
> iptables -N LOGDROP
> iptables -A LOGDROP -m limit --limit 1/min -j LOG --log-prefix
> "iptables denied: "
> iptables -A LOGDROP -j DROP
>
>
> ## ssh only allows 3 attempts per minute
> iptables -F zone_wan
> iptables -A zone_wan -p tcp --dport 22 --syn -m state --state NEW -m
> limit --limit 3/min -m limit --limit-burst 3 -j ACCEPT
> iptables -A zone_wan -p tcp --dport 22 --syn -j LOGDROP
>
> iptables -A zone_wan -j input_wan
> iptables -A zone_wan -j zone_wan_ACCEPT
> --
> This message was sent to: Igor Partola <igor at igorpartola.com>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that
> address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web  :
> http://www.trilug.org/mailman/options/trilug/igor%40igorpartola.com
> TriLUG FAQ          :
> http://www.trilug.org/wiki/Frequently_Asked_Questions
>