simple is usually better

So, I was looking at my logwatch report the other day, and saw one of my webservers was getting hammered via sshd. No big surprise, it happens, but, I started thinking about denyhosts, which was suggested to me by a friend a while back. It may work, but because its a log parsing application, it falls prey to a couple of oportunities which I am not interested in. Such as spoofing the user/pass name on the SSHD log to lock the localhost out, or to lock out the root user. While I was looking into it, I noticed a page that had another alternative:

/usr/sbin/iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent -set
/usr/sbin/iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP


I am no iptables guru, but, after some research, I can now read what this says. And its beautiful. Its simple, it does what I am looking for, and best of all, its already installed and working, its just an added configuration I needed to add. I did alter it to better handle what I think are appropriate settings, but, the spirit of the two lines is intact.

Now, for some results:

Sunday --

Failed logins from:
58.61.37.210: 24 times
58.223.251.93: 16 times
95.59.142.130 (mail.nurecom.kz): 28 times
95.173.185.132 (client-132-185-173-95.reverse.ni.net.tr): 528 times
143.106.108.7 (hadar.bc.unicamp.br): 13 times
Illegal users from:
58.61.37.210: 1353 times
58.223.251.93: 1227 times
95.59.142.130 (mail.nurecom.kz): 37 times
95.173.185.132 (client-132-185-173-95.reverse.ni.net.tr): 325 times
143.106.108.7 (hadar.bc.unicamp.br): 2 times

Total: 3553 times

Monday --

Failed logins from:
61.155.177.2: 13 times
82.91.129.34 (host34-129-static.91-82-b.business.telecomitalia.it): 1 time
91.93.186.11: 92 times
203.92.45.70: 1 time
213.79.108.35 (mail.zelcom.ru): 30 times
Illegal users from:
61.155.177.2: 2 times
82.91.129.34 (host34-129-static.91-82-b.business.telecomitalia.it): 6 times
91.93.186.11: 1110 times
213.79.108.35 (mail.zelcom.ru): 9 times

Total: 1264 times

Tuesday --

Failed logins from:
79.188.50.35 (hly35.internetdsl.tpnet.pl): 757 times
80.153.186.212 (p5099bad4.dip0.t-ipconnect.de): 1 time
121.157.1.125: 31 times
125.7.229.86: 1 time
125.141.195.190: 1 time
202.100.91.157: 12 times
221.165.162.4: 193 times
Illegal users from:
79.188.50.35 (hly35.internetdsl.tpnet.pl): 42 times
121.157.1.125: 206 times
200.69.209.129: 1 time
202.100.91.157: 98 times
221.165.162.4: 44 times

Total: 1387 times

Wednesday --

Failed logins from:
114.113.17.152: 1 time
Illegal users from:
62.149.203.228 (host228-203-149-62.serverdedicati.aruba.it): 1 time
67.205.112.113: 1 time
190.84.234.186 (static-ip-cr19084234186.cable.net.co): 1 time
218.75.79.18: 1 time

Total: 5 times

I know that this is not the ultimate of solutions, as a script could be written very easily to get around this sort of thing, but, it has obviously made a huge difference. And, I intend to keep working on this sort of thing when I have a few minutes here and there. I am currently looking into Public/Private Key Pairs, to see how that will impact the situation as well, and if its feasible within my infrastructure.