[tor-relays] Tor node break-in attempts
starlight.2015q3 at binnacle.cx
starlight.2015q3 at binnacle.cx
Fri Oct 23 03:48:29 UTC 2015
>
> Attack counts are in the 100,000s.
>
This sort of thing posses no threat and
is quite stupid as previously observed.
Is mainly annoying for the mess it makes
of /var/log/security.
If you don't want to change the SSH port
(best solution IMO), here's an 'iptables'
rule that will fix it (adjust/rearrange as
needed/desired). These lines assume they
will go in /etc/sysconfig/iptables.
You can run them manually by prefixing with
the 'ipbables' command. I wrote this
without looking at the default 'iptables'
file for any distro and if you are using
one, revise accordingly or rename the
original and start from scratch.
-N input_eth0
-A INPUT -i eth0 -j input_eth0
-A input_eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A input_eth0 -p tcp --dport 22 -d x.x.x.x -m recent --update --seconds 600 --hitcount 3 --name SSH_ATTACK -j DROP
-A input_eth0 -p tcp --dport 22 -d x.x.x.x -m recent --set --name SSH_ATTACK -j ACCEPT
==========
Because we all make mistakes, you should *TEST*
the rule by KEEPING A LIVE CONNECTION active
and logging in a second time or you may lock
yourself out of your server. Use
iptables -nvL
to display the counters and look for the lock-out
effect after 'hitcount' attempts. Also look in
cat /proc/net/xt_recent/SSH_ATTACK
for the login tries and lock-out. You can clear
an IP with
echo "-x.x.x.x" >>/proc/net/xt_recent/SSH_ATTACK
==========
If you want a bigger hash table and more history
than the default, you can create
/etc/modprobe.d/xt_recent.conf
and put something like
options xt_recent ip_list_tot=16384 ip_pkt_list_tot=255
in it.
==========
Some documentation at http://linux.die.net/man/8/iptables
More information about the tor-relays
mailing list