1

I added the following firewall rules in order to defend against ssh attacks.

iptables -N LOGNDROP
iptables -A LOGNDROP -j LOG --log-prefix "SSH attack! " --log-level 7
iptables -A LOGNDROP -j DROP
iptables -A INPUT -i eth0 -p tcp -m state --dport 22 --state NEW -m recent --set
iptables -A INPUT -i eth0 -p tcp -m state --dport 22 --state NEW -m recent --update --seconds 3600 --hitcount 4 -j LOGNDROP

Is it possible to reset that counter after a successful login attempt? Altough this solution works fine, I'm restricted to 3 successful login per hour too!

My-Name-Is
  • 701
  • 1
  • 5
  • 6
  • This doesn't directly answer your question, but I would install Fail2Ban, and move SSH to a nonstandard port. (Be sure to edit the Fail2Ban jail config to monitor the correct port.) – jlehtinen Dec 27 '13 at 17:48
  • @jlehtinen Thank you for your reply. I know about Fail2Ban, but if possible I try to avoid third party tools. Otherwise it would be a feasible solution. – My-Name-Is Dec 27 '13 at 17:52
  • Fair enough. Off the top of my head, you could add a login script that purges the count. Look here for example (in Ubuntu): http://askubuntu.com/questions/10294/run-system-script-on-ssh-login-and-or-logout I don't think this would be a good solution, as if someone brute-forced your SSH port after you logged in, the count wouldn't be reset. Maybe a scheduled cron job? – jlehtinen Dec 27 '13 at 17:59

1 Answers1

2

Yes, sort of. You can use something like fail2ban that processes the logs and removes the IP addresses from the /proc/net/xt_recent/DEFAULT:

Something like this as a (minutely?) cronjob would be a good first approximation:

for ip in $(sed -ne 's/^.*sshd.*Accepted.*from \([^ ]*\).*$/\1/p' /var/log/auth.log | sort -u); do echo -$ip > /proc/net/xt_recent/DEFAULT; done
Dennis Kaarsemaker
  • 18,793
  • 2
  • 43
  • 69