Hello guys, a newbie here. I want to configure a firewall "IpFilter" on OmniOS to drop SSH connection after three bad passwords entered and to time out for a while. I have found a way to do this, but the instruction refers to the "IpTables" which is firewall used typically on Linux, and it works differently (I hear it uses a script, where a Unix IpFilter uses a file).
Not a pro at this at all, just dabbling at "nixes", so I could use some help in converting the instructions to fit the IpFilter.
Could anyone help converting, or at least hint or give a direction? Thanks! Here are the instructions I have found for IpTables:
===================
With the following solution an attacker is allowed to produce exactly 3 fault logins in 2 minutes, or he will be blocked for 120 seconds.
1) Add the following line to /etc/ssh/sshd_config
MaxAuthTries 1
This will allow only 1 login attempt per connection. Restart the ssh server.
2) Add the following firewall rules
Create a new chain
iptables -N SSHATTACK
iptables -A SSHATTACK -j LOG --log-prefix "Possible SSH attack! " --log-level 7
iptables -A SSHATTACK -j DROP
Block each IP address for 120 seconds which establishes more than three connections within 120 seconds. In case of the fourth connection attempt, the request gets delegated to the SSHATTACK chain, which is responsible for logging the possible ssh attack and finally drops the request.
iptables -A INPUT -i eth0 -p tcp -m state --dport 22 --state NEW -m recent --set
iptables -A INPUT -i eth0 -p tcp -m state --dport 22 --state NEW -m recent --update --seconds 120 --hitcount 4 -j SSHATTACK
==================
Not a pro at this at all, just dabbling at "nixes", so I could use some help in converting the instructions to fit the IpFilter.
Could anyone help converting, or at least hint or give a direction? Thanks! Here are the instructions I have found for IpTables:
===================
With the following solution an attacker is allowed to produce exactly 3 fault logins in 2 minutes, or he will be blocked for 120 seconds.
1) Add the following line to /etc/ssh/sshd_config
MaxAuthTries 1
This will allow only 1 login attempt per connection. Restart the ssh server.
2) Add the following firewall rules
Create a new chain
iptables -N SSHATTACK
iptables -A SSHATTACK -j LOG --log-prefix "Possible SSH attack! " --log-level 7
iptables -A SSHATTACK -j DROP
Block each IP address for 120 seconds which establishes more than three connections within 120 seconds. In case of the fourth connection attempt, the request gets delegated to the SSHATTACK chain, which is responsible for logging the possible ssh attack and finally drops the request.
iptables -A INPUT -i eth0 -p tcp -m state --dport 22 --state NEW -m recent --set
iptables -A INPUT -i eth0 -p tcp -m state --dport 22 --state NEW -m recent --update --seconds 120 --hitcount 4 -j SSHATTACK
==================